diff --git a/helm/values/nginx-internal.values.yaml b/helm/values/nginx-internal.values.yaml deleted file mode 100644 index 674d291..0000000 --- a/helm/values/nginx-internal.values.yaml +++ /dev/null @@ -1,57 +0,0 @@ -controller: - replicaCount: 3 - nodeSelector: - nodepool: worker - labels: - app: nginx-internal - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule - labelSelector: - matchLabels: - app: nginx-internal - ingressClassResource: - name: nginx-internal - enabled: true - default: true - controllerValue: "k8s.io/ingress-nginx" - parameters: {} - ingressClass: nginx-internal - service: - annotations: - external-dns.alpha.kubernetes.io/hostname: "dogar.dev" - extraVolumes: - - name: nix-cache - persistentVolumeClaim: - claimName: nix-cache - extraVolumeMounts: - - name: nix-cache - mountPath: /var/cache/nginx/nix - podSecurityContext: - fsGroup: 101 - config: - proxy-buffering: "on" - proxy-ssl-server-name: "true" - http-snippet: | - # Persistent on-disk cache; lives on the PVC - proxy_cache_path /var/cache/nginx/nix levels=1:2 keys_zone=cachecache:32m max_size=120g inactive=365d use_temp_path=off; - - # Only advertise cacheability for 200/302 - map $status $cache_header { - 200 "public"; - 302 "public"; - default "no-cache"; - } - server-snippet: | - location = /robots.txt { - default_type text/plain; - return 200 "User-agent: GPTBot\nDisallow: /\nUser-agent: CCBot\nDisallow: /\nUser-agent: *\nAllow: /\n"; - } -tcp: - 22: "homelab/gitea-ssh:22" - 25565: "minecraft/monifactory-server:25565" - 25566: "minecraft/gtnh-server:25565" - 25567: "minecraft/tfg-server:25565" - 25568: "minecraft/atm10-server:25565" - 25569: "minecraft/star-technology-server:25565" diff --git a/nginx/index.ts b/nginx/index.ts deleted file mode 100644 index 31bd78f..0000000 --- a/nginx/index.ts +++ /dev/null @@ -1,36 +0,0 @@ -import * as fs from "fs"; -import { HelmProvider } from "@cdktf/provider-helm/lib/provider"; -import { Release } from "@cdktf/provider-helm/lib/release"; -import { Construct } from "constructs"; - -import { NixCache } from "./nix-cache"; - -type NginxOptions = { - provider: HelmProvider; - name: string; - namespace: string; -}; - -export class Nginx extends Construct { - constructor(scope: Construct, id: string, options: NginxOptions) { - super(scope, id); - - new Release(this, id, { - ...options, - repository: "https://kubernetes.github.io/ingress-nginx", - chart: "ingress-nginx", - createNamespace: true, - values: [ - fs.readFileSync("helm/values/nginx-internal.values.yaml", { - encoding: "utf8", - }), - ], - }); - - new NixCache(this, "nix-cache", { - namespace: options.namespace, - host: "nix.dogar.dev", - ingressClassName: "nginx-internal", - }); - } -} diff --git a/nginx/nix-cache.ts b/nginx/nix-cache.ts deleted file mode 100644 index 2054d1d..0000000 --- a/nginx/nix-cache.ts +++ /dev/null @@ -1,105 +0,0 @@ -import { Construct } from "constructs"; -import { ServiceV1 } from "@cdktf/provider-kubernetes/lib/service-v1"; -import { IngressV1 } from "@cdktf/provider-kubernetes/lib/ingress-v1"; -import { PersistentVolumeClaimV1 } from "@cdktf/provider-kubernetes/lib/persistent-volume-claim-v1"; - -export interface NixCacheProps { - namespace: string; - host: string; - ingressClassName?: string; - externalName?: string; -} - -export class NixCache extends Construct { - constructor(scope: Construct, id: string, props: NixCacheProps) { - super(scope, id); - - const { - namespace, - host, - ingressClassName: ingressClass = "nginx-internal", - externalName: upstreamHost = "cache.nixos.org", - } = props; - - // 1) ExternalName Service -> cache.nixos.org - new ServiceV1(this, "nixcache-upstream-svc", { - metadata: { - name: "nixcache-upstream", - namespace, - }, - spec: { - type: "ExternalName", - externalName: upstreamHost, - }, - }); - - // 2) Ingress that targets the ExternalName Service over HTTPS:443 - new IngressV1(this, "nixcache-ingress", { - metadata: { - name: "nix-cache", - namespace, - annotations: { - // Use the cache zone defined in controller.config.http-snippet - "nginx.ingress.kubernetes.io/proxy-cache": "cachecache", - "nginx.ingress.kubernetes.io/proxy-cache-valid": "200 302 60d", - "nginx.ingress.kubernetes.io/proxy-cache-lock": "true", - "nginx.ingress.kubernetes.io/proxy-buffering": "on", - - // Upstream is HTTPS with SNI and a fixed Host header - "nginx.ingress.kubernetes.io/backend-protocol": "HTTPS", - "nginx.ingress.kubernetes.io/proxy-ssl-server-name": "true", - "nginx.ingress.kubernetes.io/upstream-vhost": upstreamHost, - - // Use cert-manager to provision TLS certs via Cloudflare - "cert-manager.io/cluster-issuer": "cloudflare-issuer", - "cert-manager.io/acme-challenge-type": "dns01", - "cert-manager.io/private-key-size": "4096", - }, - }, - spec: { - ingressClassName: ingressClass, - rule: [ - { - host, - http: { - path: [ - { - path: "/", - pathType: "Prefix", - backend: { - service: { - name: "nixcache-upstream", - port: { number: 443 }, - }, - }, - }, - ], - }, - }, - ], - tls: [ - { - hosts: [host], - secretName: "nix-cache-tls", - }, - ], - }, - }); - - // 3) PersistentVolumeClaim for caching - new PersistentVolumeClaimV1(this, "nix-cache-pvc", { - metadata: { - name: "nix-cache", - namespace, - }, - spec: { - accessModes: ["ReadWriteMany"], - resources: { - requests: { - storage: "128Gi", - }, - }, - }, - }); - } -}