From f00122f9b2dd500e68a50a94efbfa6d7cc90cb82 Mon Sep 17 00:00:00 2001 From: James Andariese Date: Sat, 12 Aug 2023 00:21:08 -0500 Subject: [PATCH] rewrite reseponse location headers to https --- ingress-shim/deploy.yaml | 4 + mastodon/application.yaml | 403 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 407 insertions(+) create mode 100644 mastodon/application.yaml diff --git a/ingress-shim/deploy.yaml b/ingress-shim/deploy.yaml index c21febe..cbd3d13 100644 --- a/ingress-shim/deploy.yaml +++ b/ingress-shim/deploy.yaml @@ -38,11 +38,15 @@ data: frontend https443 bind *:443 ssl crt /ssl-tmp/tls.pem http-request capture req.hdr(Host) len 255 + http-response replace-value Location http(://.*[.]werts[.]us/) https\1 + http-response replace-value Location http(://.*[.]strudelline[.]net/) https\1 default_backend httpnodes frontend proxy4443 bind *:4443 ssl crt /ssl-tmp/tls.pem accept-proxy http-request capture req.hdr(Host) len 255 + http-response replace-value Location http(://.*[.]werts[.]us/) https\1 + http-response replace-value Location http(://.*[.]strudelline[.]net/) https\1 default_backend httpnodes backend httpnodes diff --git a/mastodon/application.yaml b/mastodon/application.yaml new file mode 100644 index 0000000..ebaa549 --- /dev/null +++ b/mastodon/application.yaml @@ -0,0 +1,403 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: mastodon + namespace: argocd +spec: + destination: + name: in-cluster + namespace: mastodon + project: default + source: + path: . + repoURL: https://gitea.gitea.svc.cluster.local:3000/infra/mastodon-chart + targetRevision: main + helm: + values: | + image: + repository: ghcr.io/mastodon/mastodon + # https://github.com/mastodon/mastodon/pkgs/container/mastodon + # + # alternatively, use `latest` for the latest release or `edge` for the image + # built from the most recent commit + # + # tag: latest + tag: "latest" + # use `Always` when using `latest` tag + pullPolicy: IfNotPresent + + mastodon: + # -- create an initial administrator user; the password is autogenerated and will + # have to be reset + createAdmin: + # @ignored + enabled: false + # @ignored + username: not_gargron + # @ignored + email: not@example.com + cron: + # -- run `tootctl media remove` every week + removeMedia: + # @ignored + enabled: true + # @ignored + schedule: "0 0 * * 0" + # -- available locales: https://github.com/mastodon/mastodon/blob/main/config/application.rb#L71 + locale: en + local_domain: werts.us + # -- Use of WEB_DOMAIN requires careful consideration: https://docs.joinmastodon.org/admin/config/#federation + # You must redirect the path LOCAL_DOMAIN/.well-known/ to WEB_DOMAIN/.well-known/ as described + # Example: mastodon.example.com + web_domain: mastodon.werts.us + # -- If set to true, the frontpage of your Mastodon server will always redirect to the first profile in the database and registrations will be disabled. + singleUserMode: false + # -- Enables "Secure Mode" for more details see: https://docs.joinmastodon.org/admin/config/#authorized_fetch + authorizedFetch: false + # -- Enables "Limited Federation Mode" for more detauls see: https://docs.joinmastodon.org/admin/config/#limited_federation_mode + limitedFederationMode: true + persistence: + assets: + # -- ReadWriteOnce is more widely supported than ReadWriteMany, but limits + # scalability, since it requires the Rails and Sidekiq pods to run on the + # same node. + accessMode: ReadWriteMany + resources: + requests: + storage: 10Gi + storageClassName: nfs + system: + accessMode: ReadWriteOnce + resources: + requests: + storage: 10Gi + storageClassName: local + s3: + enabled: false + access_key: "" + access_secret: "" + # -- you can also specify the name of an existing Secret + # with keys AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY + existingSecret: "mastodon-secrets-s3" + bucket: "mastodon" + endpoint: "https://minio.strudelline.net" + hostname: "" + region: "" + permission: "" + # -- If you have a caching proxy, enter its base URL here. + alias_host: "" + # these must be set manually; autogenerated keys are rotated on each upgrade + secrets: + secret_key_base: "" + otp_secret: "" + vapid: + private_key: "" + public_key: "" + # -- you can also specify the name of an existing Secret + # with keys SECRET_KEY_BASE and OTP_SECRET and + # VAPID_PRIVATE_KEY and VAPID_PUBLIC_KEY + existingSecret: "mastodon-secrets-secrets" + sidekiq: + # -- Pod security context for all Sidekiq Pods, overwrites .Values.podSecurityContext + podSecurityContext: {} + # -- (Sidekiq Container) Security Context for all Pods, overwrites .Values.securityContext + securityContext: {} + # -- Resources for all Sidekiq Deployments unless overwritten + resources: {} + # -- Affinity for all Sidekiq Deployments unless overwritten, overwrites .Values.affinity + affinity: {} + # limits: + # cpu: "1" + # memory: 768Mi + # requests: + # cpu: 250m + # memory: 512Mi + workers: + - name: all-queues + # -- Number of threads / parallel sidekiq jobs that are executed per Pod + concurrency: 25 + # -- Number of Pod replicas deployed by the Deployment + replicas: 1 + # -- Resources for this specific deployment to allow optimised scaling, overwrites .Values.mastodon.sidekiq.resources + resources: {} + # -- Affinity for this specific deployment, overwrites .Values.affinity and .Values.mastodon.sidekiq.affinity + affinity: {} + # -- Sidekiq queues for Mastodon that are handled by this worker. See https://docs.joinmastodon.org/admin/scaling/#concurrency + # See https://github.com/mperham/sidekiq/wiki/Advanced-Options#queues for how to weight queues as argument + queues: + - default,8 + - push,6 + - ingress,4 + - mailers,2 + - pull + - scheduler # Make sure the scheduler queue only exists once and with a worker that has 1 replica. + #- name: push-pull + # concurrency: 50 + # resources: {} + # replicas: 2 + # queues: + # - push + # - pull + #- name: mailers + # concurrency: 25 + # replicas: 2 + # queues: + # - mailers + #- name: default + # concurrency: 25 + # replicas: 2 + # queues: + # - default + smtp: + auth_method: plain + ca_file: /etc/ssl/certs/ca-certificates.crt + delivery_method: smtp + domain: + enable_starttls: 'auto' + from_address: notifications@example.com + return_path: + openssl_verify_mode: peer + port: 587 + reply_to: + server: smtp.mailgun.org + tls: false + login: + password: + # -- Instead of defining login/password above, you can specify the name of an existing secret here. Login and + # password must be located in keys named `login` and `password` respectively. + existingSecret: mastdon-secrets-smtp + streaming: + port: 4000 + # -- this should be set manually since os.cpus() returns the number of CPUs on + # the node running the pod, which is unrelated to the resources allocated to + # the pod by k8s + workers: 1 + # -- The base url for streaming can be set if the streaming API is deployed to + # a different domain/subdomain. + base_url: null + # -- Number of Streaming Pods running + replicas: 1 + # -- Affinity for Streaming Pods, overwrites .Values.affinity + affinity: {} + # -- Pod Security Context for Streaming Pods, overwrites .Values.podSecurityContext + podSecurityContext: {} + # -- (Streaming Container) Security Context for Streaming Pods, overwrites .Values.securityContext + securityContext: {} + # -- (Streaming Container) Resources for Streaming Pods, overwrites .Values.resources + resources: {} + # limits: + # cpu: "500m" + # memory: 512Mi + # requests: + # cpu: 250m + # memory: 128Mi + web: + port: 3000 + # -- Number of Web Pods running + replicas: 1 + # -- Affinity for Web Pods, overwrites .Values.affinity + affinity: {} + # -- Pod Security Context for Web Pods, overwrites .Values.podSecurityContext + podSecurityContext: {} + # -- (Web Container) Security Context for Web Pods, overwrites .Values.securityContext + securityContext: {} + # -- (Web Container) Resources for Web Pods, overwrites .Values.resources + resources: {} + # limits: + # cpu: "1" + # memory: 1280Mi + # requests: + # cpu: 250m + # memory: 768Mi + # -- Puma-specific options. Below values are based on default behavior in + # config/puma.rb when no custom values are provided. + minThreads: "5" + maxThreads: "5" + workers: "2" + persistentTimeout: "20" + + metrics: + statsd: + # -- Enable statsd publishing via STATSD_ADDR environment variable + address: "" + + # Sets the PREPARED_STATEMENTS environment variable: https://docs.joinmastodon.org/admin/config/#prepared_statements + preparedStatements: true + + ingress: + enabled: true + annotations: + # For choosing an ingress ingressClassName is preferred over annotations + # kubernetes.io/ingress.class: nginx + # + # To automatically request TLS certificates use one of the following + # kubernetes.io/tls-acme: "true" + # cert-manager.io/cluster-issuer: "letsencrypt" + # + # ensure that NGINX's upload size matches Mastodon's + # for the K8s ingress controller: + # nginx.ingress.kubernetes.io/proxy-body-size: 40m + # for the NGINX ingress controller: + # nginx.org/client-max-body-size: 40m + # -- you can specify the ingressClassName if it differs from the default + ingressClassName: + hosts: + - host: mastodon.werts.us + paths: + - path: '/' + + # -- https://github.com/bitnami/charts/tree/master/bitnami/elasticsearch#parameters + elasticsearch: + # `false` will disable full-text search + # + # if you enable ES after the initial install, you will need to manually run + # RAILS_ENV=production bundle exec rake chewy:sync + # (https://docs.joinmastodon.org/admin/optional/elasticsearch/) + # @ignored + enabled: true + # @ignored + image: + tag: 7 + + # https://github.com/bitnami/charts/tree/master/bitnami/postgresql#parameters + postgresql: + # -- disable if you want to use an existing db; in which case the values below + # must match those of that external postgres instance + enabled: true + # postgresqlHostname: preexisting-postgresql + # postgresqlPort: 5432 + auth: + database: mastodon_production + username: mastodon + # you must set a password; the password generated by the postgresql chart will + # be rotated on each upgrade: + # https://github.com/bitnami/charts/tree/master/bitnami/postgresql#upgrade + password: "" + # Set the password for the "postgres" admin user + # set this to the same value as above if you've previously installed + # this chart and you're having problems getting mastodon to connect to the DB + # postgresPassword: "" + # you can also specify the name of an existing Secret + # with a key of password set to the password you want + existingSecret: "mastodon-secrets-postgres" + + # https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters + redis: + # disable if you want to use an existing redis instance; in which case the + # values below must match those of that external redis instance + enabled: true + hostname: "" + port: 6379 + auth: + # -- you must set a password; the password generated by the redis chart will be + # rotated on each upgrade: + password: "" + # you can also specify the name of an existing Secret + # with a key of redis-password set to the password you want + existingSecret: "mastodon-secrets-redis" + + # @ignored + service: + type: ClusterIP + port: 80 + + externalAuth: + oidc: + # -- OpenID Connect support is proposed in PR #16221 and awaiting merge. + enabled: true + display_name: "werts.us" + issuer: https://auth.werts.us/realms/werts + discovery: true + scope: "openid,profile" + uid_field: uid + client_id: mastodon + client_secret: eJ7ytP63vdMr8tK5KDyvYwr7ce6pSXhtc1x5GSx5yVOLzOl66Tb6OqwSWt776zhKkt18xFpPAGF2WdkUM7Y7HN + redirect_uri: https://mastodon.werts.us/auth/auth/openid_connect/callback + assume_email_is_verified: true + # client_auth_method: + # response_type: + # response_mode: + # display: + # prompt: + # send_nonce: + # send_scope_to_token_endpoint: + # idp_logout_redirect_uri: + # http_scheme: + # host: + # port: + # jwks_uri: + # auth_endpoint: + # token_endpoint: + # user_info_endpoint: + # end_session_endpoint: + + # -- https://github.com/mastodon/mastodon/blob/main/Dockerfile#L75 + # + # if you manually change the UID/GID environment variables, ensure these values + # match: + podSecurityContext: + runAsUser: 991 + runAsGroup: 991 + fsGroup: 991 + + # @ignored + securityContext: {} + + serviceAccount: + # -- Specifies whether a service account should be created + create: true + # -- Annotations to add to the service account + annotations: {} + # -- The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + + # Custom annotations to apply to all created deployment objects. These can be + # used to help mastodon interact with other services in the cluster. + deploymentAnnotations: {} + + # -- Kubernetes manages pods for jobs and pods for deployments differently, so you might + # need to apply different annotations to the two different sets of pods. The annotations + # set with podAnnotations will be added to all deployment-managed pods. + podAnnotations: {} + + # If set to true, an annotation with the current chart release number will be added to all mastodon pods. This will + # cause all pods to be recreated every `helm upgrade` regardless of whether their config or spec changes. + revisionPodAnnotation: true + + # The annotations set with jobAnnotations will be added to all job pods. + jobAnnotations: {} + + # -- Default resources for all Deployments and jobs unless overwritten + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + # @ignored + nodeSelector: {} + + # @ignored + tolerations: [] + + # -- Affinity for all pods unless overwritten + affinity: {} + syncPolicy: + automated: + prune: true + selfHeal: true + retry: + backoff: + duration: 5s + factor: 2 + maxDuration: 3m0s + limit: 10 + syncOptions: + - CreateNamespace=true