kubedon/nginx.yaml at master · waka9841/kubedon · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-conf
data:
  default.conf.template: |
    map $http_upgrade $connection_upgrade {
      default upgrade;
      ''      close;
    }

    server {
      listen 80;
      listen [::]:80;
      server_name ${LOCAL_DOMAIN};
      return 301 https://$host$request_uri;
    }

    server {
      listen 443 ssl http2;
      server_name ${LOCAL_DOMAIN};

      ssl_protocols TLSv1.2;
      ssl_ciphers EECDH+AESGCM:EECDH+AES;
      ssl_ecdh_curve prime256v1;
      ssl_prefer_server_ciphers on;
      ssl_session_cache shared:SSL:10m;
      ssl_session_tickets off;

      ssl_certificate     /certificates/fullchain.pem;
      ssl_certificate_key /certificates/privkey.pem;

      keepalive_timeout    70;
      sendfile             on;
      client_max_body_size 0;

      gzip on;
      gzip_disable "msie6";
      gzip_vary on;
      gzip_proxied any;
      gzip_comp_level 6;
      gzip_buffers 16 8k;
      gzip_http_version 1.1;
      gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

      add_header Strict-Transport-Security "max-age=31536000" always;
      add_header Content-Security-Policy "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' wss://${LOCAL_DOMAIN}; img-src 'self' https://storage.googleapis.com data:; media-src 'self' https://storage.googleapis.com; font-src 'self'";
      add_header Referrer-Policy "no-referrer";

      location / {
        try_files $uri @proxy;
      }

      location @proxy {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header Proxy "";
        proxy_pass_header Server;

        proxy_pass http://mastodon:3000;
        proxy_buffering off;
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;

        tcp_nodelay on;
      }

      location /api/v1/streaming {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header Proxy "";

        proxy_pass http://mastodon:4000;
        proxy_buffering off;
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;

        tcp_nodelay on;
      }
    }

---

kind: Service
apiVersion: v1
metadata:
  name: nginx
spec:
  type: LoadBalancer
  loadBalancerIP: "130.211.71.249"
  ports:
  - name: http
    port: 80
    targetPort: http
  - name: https
    port: 443
    targetPort: https
  selector:
    name: nginx

---

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: nginx
spec:
  replicas: 1
  template:
    metadata:
      labels:
        name: nginx
    spec:
      volumes:
      - name: nginx-conf
        configMap:
          name: nginx-conf
      - name: nginx-certificates
        secret:
          secretName: web-certificates
      containers:
      - image: nginx:alpine
        imagePullPolicy: Always
        name: nginx
        command: ["/bin/ash", "-c", "envsubst '${LOCAL_DOMAIN}' < /etc/nginx/templates/default.conf.template > /etc/nginx/conf.d/default.conf && nginx -g 'daemon off;'"]
        resources:
          requests:
            memory: 64Mi
            cpu: 50m
        ports:
        - name: http
          containerPort: 80
        - name: https
          containerPort: 443
        volumeMounts:
        - name: nginx-conf
          mountPath: /etc/nginx/templates
        - name: nginx-certificates
          mountPath: /certificates
        env:
        - name: LOCAL_DOMAIN
          valueFrom:
            secretKeyRef:
              name: mastodon-secrets
              key: LOCAL_DOMAIN