fix: Gitea | add ssh tcp ingress route for traefik

feat: DevPy | switch ingress to traefik
feat: NpmCache | swap ingress to traefik
2025-11-22 05:01:28 +05:00 · 2025-11-19 20:53:08 +05:00 · 2025-11-19 20:44:28 +05:00 · 2025-11-19 20:44:16 +05:00 · 2025-11-19 20:44:05 +05:00 · 2025-11-19 20:21:55 +05:00
10 changed files with 91 additions and 30 deletions
--- a/devpy/manifest.yaml
+++ b/devpy/manifest.yaml
@@ -82,10 +82,24 @@ spec:
      protocol: TCP
  type: ClusterIP
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: devpi
  namespace: homelab
 spec:
  ipAllowList:
    sourceRange:
      - "127.0.0.1/32"
      - "10.43.0.0/16"
  rateLimit:
    average: 10
    burst: 50
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: devpi-ingress
+  name: devpi
  namespace: homelab
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
@@ -93,12 +107,10 @@ metadata:
    cert-manager.io/acme-challenge-type: "dns01"
    cert-manager.io/private-key-size: "4096"
-    # NGINX IP-based rate limiting
+    # Traefik Middleware
-    nginx.ingress.kubernetes.io/limit-rps: "10"
+    traefik.io/router.middlewares: "devpi@kubernetescrd"
    nginx.ingress.kubernetes.io/limit-burst-multiplier: "5"
    nginx.ingress.kubernetes.io/limit-whitelist: "127.0.0.1"
 spec:
-  ingressClassName: nginx-internal
+  ingressClassName: traefik
  tls:
    - hosts:
        - pip.dogar.dev
--- a/gitea/index.ts
+++ b/gitea/index.ts
@@ -2,9 +2,14 @@ import * as fs from "fs";
 import { HelmProvider } from "@cdktf/provider-helm/lib/provider";
 import { Release } from "@cdktf/provider-helm/lib/release";
 import { Construct } from "constructs";
 import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
 import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
 type GiteaServerOptions = {
-  provider: HelmProvider;
+  providers: {
    helm: HelmProvider;
    kubernetes: KubernetesProvider;
  };
  name: string;
  namespace: string;
  r2Endpoint: string;
@@ -14,8 +19,11 @@ export class GiteaServer extends Construct {
  constructor(scope: Construct, id: string, options: GiteaServerOptions) {
    super(scope, id);
    const { kubernetes, helm } = options.providers;
    new Release(this, id, {
      ...options,
      provider: helm,
      repository: "https://dl.gitea.com/charts",
      chart: "gitea",
      createNamespace: true,
@@ -31,5 +39,31 @@ export class GiteaServer extends Construct {
        }),
      ],
    });
    new Manifest(this, `${id}-ssh-ingress`, {
      provider: kubernetes,
      manifest: {
        apiVersion: "traefik.io/v1alpha1",
        kind: "IngressRouteTCP",
        metadata: {
          name: "gitea-ssh-ingress",
          namespace: options.namespace,
        },
        spec: {
          entryPoints: ["ssh"],
          routes: [
            {
              match: "HostSNI(`*`)",
              services: [
                {
                  name: `${options.name}-ssh`,
                  port: 22,
                },
              ],
            },
          ],
        },
      },
    });
  }
 }
--- a/helm/values/authentik.values.yaml
+++ b/helm/values/authentik.values.yaml
@@ -93,11 +93,7 @@ server:
      cert-manager.io/cluster-issuer: cloudflare-issuer
      cert-manager.io/acme-challenge-type: dns01
      cert-manager.io/private-key-size: "4096"
-      nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+    ingressClassName: traefik
      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
    ingressClassName: nginx-internal
    https: true
    hosts:
      - auth.dogar.dev
    tls:
--- a/helm/values/externaldns.values.yaml
+++ b/helm/values/externaldns.values.yaml
@@ -1,6 +1,6 @@
 global:
  security:
-    allowInsecureImages: true # needed for ghcr.io images
+    allowInsecureImages: true # needed for non-official images
 image:
  registry: docker.io
  repository: bitnamilegacy/external-dns
@@ -27,6 +27,7 @@ serviceAccount:
  name: "external-dns"
 ingressClassFilters:
  - nginx-internal
  - traefik
 metrics:
  enabled: false
  serviceMonitor:
--- a/helm/values/gitea.values.yaml
+++ b/helm/values/gitea.values.yaml
@@ -15,15 +15,8 @@ ingress:
    cert-manager.io/cluster-issuer: cloudflare-issuer
    cert-manager.io/acme-challenge-type: dns01
    cert-manager.io/private-key-size: 4096
-    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+    traefik.io/service.scheme: https
-    nginx.ingress.kubernetes.io/proxy-request-buffering: off
+  className: traefik
    nginx.ingress.kubernetes.io/proxy-buffering: off
    nginx.ingress.kubernetes.io/proxy-body-size: 0
    nginx.ingress.kubernetes.io/proxy-read-timeout: 3600
    nginx.ingress.kubernetes.io/proxy-send-timeout: 3600
    nginx.ingress.kubernetes.io/client-body-timeout: 3600
    nginx.ingress.kubernetes.io/proxy-connect-timeout: 3600
  className: nginx-internal
  hosts:
    - host: git.dogar.dev
      paths:
--- a/helm/values/longhorn.values.yaml
+++ b/helm/values/longhorn.values.yaml
@@ -17,7 +17,7 @@ metrics:
    enabled: true
 ingress:
  enabled: true
-  ingressClassName: nginx-internal
+  ingressClassName: traefik
  host: longhorn.dogar.dev
  tls: true
  tlsSecretName: longhorn-tls
--- a/helm/values/prometheus.values.yaml
+++ b/helm/values/prometheus.values.yaml
@@ -2,7 +2,7 @@ grafana:
  enabled: true
  ingress:
    enabled: true
-    ingressClassName: nginx-internal
+    ingressClassName: traefik
    annotations:
      cert-manager.io/cluster-issuer: cloudflare-issuer
      cert-manager.io/acme-challenge-type: dns01
--- a/helm/values/traefik.values.yaml
+++ b/helm/values/traefik.values.yaml
@@ -16,3 +16,13 @@ topologySpreadConstraints:
    labelSelector:
      matchLabels:
        app: traefik
 additionalArguments:
  - "--entryPoints.ssh.address=:22/tcp"
 ports:
  ssh:
    name: ssh
    port: 22
    exposedPort: 22
    expose:
      default: true
    protocol: TCP
--- a/main.ts
+++ b/main.ts
@@ -142,7 +142,10 @@ class Homelab extends TerraformStack {
    const gitea = new GiteaServer(this, "gitea-server", {
      name: "gitea",
      namespace,
-      provider: helm,
+      providers: {
        helm,
        kubernetes,
      },
      r2Endpoint: `${env.ACCOUNT_ID}.r2.cloudflarestorage.com`,
    });
--- a/npmcache/manifest.yaml
+++ b/npmcache/manifest.yaml
@@ -114,6 +114,20 @@ spec:
      targetPort: 4873
  type: ClusterIP
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: verdaccio
  namespace: homelab
 spec:
  ipAllowList:
    sourceRange:
      - "127.0.0.1/32"
      - "10.43.0.0/16"
  rateLimit:
    average: 10
    burst: 50
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -124,12 +138,10 @@ metadata:
    cert-manager.io/acme-challenge-type: "dns01"
    cert-manager.io/private-key-size: "4096"
-    # NGINX IP-based rate limiting
+    # Traefik Middleware
-    nginx.ingress.kubernetes.io/limit-rps: "10"
+    traefik.io/router.middlewares: "verdaccio@kubernetescrd"
    nginx.ingress.kubernetes.io/limit-burst-multiplier: "5"
    nginx.ingress.kubernetes.io/limit-whitelist: "127.0.0.1"
 spec:
-  ingressClassName: nginx-internal
+  ingressClassName: traefik
  tls:
    - hosts:
        - npm.dogar.dev
Author	SHA1	Message	Date
Shahab Dogar	11bf756add	fix: Gitea \| add ssh tcp ingress route for traefik	2025-11-22 05:01:28 +05:00
Shahab Dogar	2d93965900	feat: DevPy \| switch ingress to traefik	2025-11-19 20:53:08 +05:00
Shahab Dogar	5f83143d91	feat: NpmCache \| swap ingress to traefik	2025-11-19 20:44:28 +05:00
Shahab Dogar	55d3ba0acc	feat: Grafana \| swap ingress over to traefik	2025-11-19 20:44:16 +05:00
Shahab Dogar	53f414f97d	feat: Gitea \| swap ingress to traefik	2025-11-19 20:44:05 +05:00
Shahab Dogar	48d4950632	feat: Authentik \| swap ingress to traefik	2025-11-19 20:21:55 +05:00
Shahab Dogar	0dde41e79e	chore: ExternalDNS \| faster dns updates	2025-11-19 20:21:11 +05:00
Shahab Dogar	8955455af2	chore: Longhorn \| switch UI to traefik ingress	2025-11-19 20:05:09 +05:00
Shahab Dogar	451bbc6de0	feat: ExternalDNS \| add traefik ingresses to monitored dns names	2025-11-19 20:04:55 +05:00