mdebray/tvl-depot
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: Clean up old Kubernetes configuration

Browse source
This commit is contained in:
Vincent Ambo 2018-01-03 16:31:25 +01:00
parent 51cbf1e92a
commit 9464a1dee4
21 changed files with 0 additions and 519 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
bitlbee/Dockerfile
View file

@ -1,24 +0,0 @@
FROM alpine
MAINTAINER Vincent Ambo <tazjin@gmail.com>
# Install bitlbee packages
RUN apk update && \
apk add bitlbee bitlbee-otr bitlbee-doc ca-certificates curl gnutls
# Install stunnel
RUN echo "http://dl-3.alpinelinux.org/alpine/edge/testing/" >> /etc/apk/repositories
RUN apk update && apk add stunnel
# Add a user for bitlbee
RUN adduser -D bitlbee
# Add bitlbee configuration
ADD bitlbee.conf /etc/bitlbee/bitlbee.conf
ADD motd.txt /etc/bitlbee/motd.txt
# Add stunnel configuration
ADD stunnel.conf /etc/bitlbee/stunnel.conf
EXPOSE 6697
CMD bitlbee -F && stunnel /etc/bitlbee/stunnel.conf

38
bitlbee/bitlbee-rc.yaml
View file

@ -1,38 +0,0 @@
---
apiVersion: v1
kind: ReplicationController
metadata:
name: bitlbee-v1
labels:
app: bitlbee
spec: v1
spec:
replicas: 1
selector:
app: bitlbee
spec: v1
template:
metadata:
labels:
app: bitlbee
spec: v1
spec:
containers:
- image: eu.gcr.io/composite-watch-759/bitlbee
imagePullPolicy: Always
name: bitlbee
volumeMounts:
- name: tazj-in-tls
mountPath: /etc/bitlbee/tls
- name: bitlbee-storage
mountPath: /var/lib/bitlbee
ports:
- containerPort: 6697
volumes:
- name: tazj-in-tls
secret:
secretName: tazj-in-tls
- name: bitlbee-storage
gcePersistentDisk:
pdName: bitlbee-storage
fsType: ext4

15
bitlbee/bitlbee-svc.yaml
View file

@ -1,15 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: bitlbee
labels:
app: bitlbee
spec:
type: LoadBalancer
selector:
app: bitlbee
ports:
- port: 6697
targetPort: 6697
name: irc-tls

11
bitlbee/bitlbee.conf
View file

@ -1,11 +0,0 @@
[settings]
User = bitlbee
HostName = bitlbee.tazj.in
ConfigDir = /var/lib/bitlbee
AuthMode = Closed
AuthPassword = md5:sehKBm6gtplh6/K0Dn6DOo0crlRH
OperPassword = md5:lP81y2wzU5pSwOtTEI37ewrSSlda
[defaults]
private = 1

6
bitlbee/motd.txt
View file

@ -1,6 +0,0 @@
Welcome to tazjin's bitlbee server!
While this server may appear as if it's open to the public, you are in no way
safe from me reading your communication or randomly terminating the service.
Use at your own peril, unless you are me.

9
bitlbee/stunnel.conf
View file

@ -1,9 +0,0 @@
setuid = nobody
setgid = nogroup
foreground = yes
[bitlbee]
accept = 6697
connect = 6667
cert = /etc/bitlbee/tls/tls.crt
key = /etc/bitlbee/tls/tls.key

28
gogs/gogs-rc.yaml
View file

@ -1,28 +0,0 @@
apiVersion: v1
kind: ReplicationController
metadata:
name: gogs
spec:
replicas: 1
selector:
app: gogs
template:
metadata:
labels:
app: gogs
spec:
containers:
- image: gogs/gogs
imagePullPolicy: Always
name: gogs
ports:
- containerPort: 22
- containerPort: 3000
volumeMounts:
- name: gogs-storage
mountPath: /data
volumes:
- name: gogs-storage
gcePersistentDisk:
pdName: gogs-storage
fsType: ext4

14
gogs/gogs-svc.yaml
View file

@ -1,14 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: gogs-priv
labels:
app: gogs
spec:
selector:
app: gogs
ports:
- port: 3000
name: gogs-http-internal
- port: 22
name: gogs-ssh-internal

54
nginx/conf/http.conf
View file

@ -1,54 +0,0 @@
# Default TLS redirect
server {
listen 80;
server_name *.tazj.in tazj.in;
return 301 https://$server_name$request_uri;
}
# Simple IP echo thing
server {
listen 80;
listen 443 ssl http2;
server_name ip.tazj.in;
access_log off;
add_header "Content-Type" "text/plain";
return 200 "$remote_addr\n";
}
# Redirect for oslo.pub
server {
listen 80;
listen 443 ssl;
server_name oslo.pub *.oslo.pub;
return 302 https://www.google.com/maps/d/viewer?mid=1pJIYY9cuEdt9DuMTbb4etBVq7hs;
}
# Gogs web interface
server {
listen 443 ssl http2;
server_name git.tazj.in;
location / {
proxy_pass http://gogs-priv.default.svc.cluster.local:3000;
}
}
# tazj.in -> www.tazj.in
server {
listen 443 ssl http2;
server_name tazj.in;
location / {
return 301 https://www.tazj.in$request_uri;
}
}
# TazBlog
server {
listen 443 ssl http2 default_server;
server_name www.tazj.in default;
location / {
proxy_pass http://tazblog-priv.default.svc.cluster.local/;
}
}

64
nginx/conf/main.conf
View file

@ -1,64 +0,0 @@
user nginx;
worker_processes 1;
daemon off;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
gzip on;
# Modern SSL config
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared:HTTPS:50m;
ssl_session_tickets off;
ssl_dhparam /etc/nginx/ssl/dhparam/tls.dhparam;
# Logstash log format
log_format logstash '$http_host '
'$remote_addr [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time '
'$upstream_response_time';
access_log /var/log/nginx/access.log logstash;
# Default tazj.in config (certs need to be overriden for other stuff, like oslo.pub)
ssl_certificate /etc/nginx/ssl/tazj.in/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/tazj.in/key.pem;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
include /etc/nginx/conf/http.conf;
}
stream {
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_dhparam /etc/nginx/ssl/dhparam/tls.dhparam;
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared:STREAM:50m;
ssl_session_tickets off;
# Default tazj.in certificate
ssl_certificate /etc/nginx/ssl/tazj.in/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/tazj.in/key.pem;
include /etc/nginx/conf/stream.conf;
}

12
nginx/conf/stream.conf
View file

@ -1,12 +0,0 @@
# Gogs SSH tunneling
server {
listen 22;
proxy_pass gogs-priv.default.svc.cluster.local:22;
}
# Quassel TLS -> TCP tunneling
server {
# listen 4242 ssl;
listen 4242;
proxy_pass quassel-priv.default.svc.cluster.local:4242;
}

14
nginx/generate-dhparam
View file

@ -1,14 +0,0 @@
#!/bin/bash
readonly dhparam=$(openssl dhparam 2048 | base64 -w0)
echo "Inserting new DH parameter ..."
kubectl replace --force -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: nginx-dhparam
data:
tls.dhparam: ${dhparam}
EOF

24
nginx/nginx-svc.yaml
View file

@ -1,24 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: nginx
labels:
app: nginx
annotations:
acme/certificate: '["tazj.in", "www.tazj.in", "ip.tazj.in", "git.tazj.in"]'
acme/secretName: tazj.in-tls
spec:
type: LoadBalancer
loadBalancerIP: 104.155.119.229
selector:
app: nginx
ports:
- port: 80
name: http
- port: 443
name: https
- port: 22
name: ssh
- port: 4242
name: quassel

51
nginx/nginx.yaml
View file

@ -1,51 +0,0 @@
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx
labels:
app: nginx
spec: v4
spec:
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- image: nginx:1.9.12
name: nginx
volumeMounts:
- name: tazj-in-tls
mountPath: /etc/nginx/ssl/tazj.in
- name: nginx-dhparam
mountPath: /etc/nginx/ssl/dhparam
- name: nginx-config
mountPath: /etc/nginx/conf
- name: nginx-logs
mountPath: /var/log/nginx
command:
- '/usr/sbin/nginx'
- '-c'
- '/etc/nginx/conf/main.conf'
ports:
- containerPort: 80
- containerPort: 443
- image: reactivehub/google-fluentd-catch-all
name: google-log-agent
volumeMounts:
- name: nginx-logs
mountPath: /var/log/nginx
volumes:
- name: tazj-in-tls
secret:
secretName: tazj.in-tls
- name: nginx-dhparam
secret:
secretName: nginx-dhparam
- name: nginx-config
secret:
secretName: nginx-config
- name: nginx-logs
emptyDir: {}

18
nginx/replace-config
View file

@ -1,18 +0,0 @@
#!/bin/bash
set -ueo pipefail
readonly main_conf=$(cat conf/main.conf | base64 -w0)
readonly http_conf=$(cat conf/http.conf | base64 -w0)
readonly stream_conf=$(cat conf/stream.conf | base64 -w0)
echo "Replacing nginx configuration ..."
kubectl replace --force -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: nginx-config
data:
main.conf: ${main_conf}
http.conf: ${http_conf}
stream.conf: ${stream_conf}
EOF

13
quassel/Dockerfile
View file

@ -1,13 +0,0 @@
FROM alpine
MAINTAINER Vincent Ambo <tazjin@gmail.com>
# Install Quassel server packages
RUN apk update && apk add quassel-core qt-sqlite icu-libs
# Location for mounting Quassel state and configuration volume
VOLUME /var/lib/quassel
EXPOSE 4242
USER quassel
CMD /usr/bin/quasselcore

27
quassel/quassel-rc.yaml
View file

@ -1,27 +0,0 @@
apiVersion: v1
kind: ReplicationController
metadata:
name: quassel
spec:
replicas: 1
selector:
app: quassel
template:
metadata:
labels:
app: quassel
spec:
containers:
- image: eu.gcr.io/composite-watch-759/quassel
imagePullPolicy: Always
name: quassel
ports:
- containerPort: 4242
volumeMounts:
- name: quassel-storage
mountPath: /var/lib/quassel
volumes:
- name: quassel-storage
gcePersistentDisk:
pdName: quassel-storage
fsType: ext4

12
quassel/quassel-svc.yaml
View file

@ -1,12 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: quassel-priv
labels:
app: quassel
spec:
selector:
app: quassel
ports:
- port: 4242
name: quassel-internal

16
quassel/stunnel.conf
View file

@ -1,16 +0,0 @@
; stunnel configuration for quassel tunnel
; global configuration
setuid = stunnel
setgid = stunnel
;pid = /var/run/stunnel.pid
output = /var/log/stunnel.log
; clients
[quassel-tazjin]
client = yes
accept = 127.0.0.1:4242
connect = irc.tazj.in:4242
verify = 2
CApath = /etc/ssl/certs
checkHost = irc.tazj.in

36
tazblog/tazblog-db.yaml
View file

@ -1,36 +0,0 @@
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: tazblog-db
spec:
template:
metadata:
labels:
app: tazblog-db
spec:
containers:
- image: eu.gcr.io/composite-watch-759/tazblog-haskell:f33723a
name: tazblog-db
command: ["tazblog-db"]
volumeMounts:
- name: tazblog-state
mountPath: /var/tazblog
volumes:
- name: tazblog-state
gcePersistentDisk:
pdName: tazblog-state
fsType: ext4
---
apiVersion: v1
kind: Service
metadata:
name: tazblog-db
labels:
app: tazblog-db
spec:
selector:
app: tazblog-db
ports:
- port: 8070
name: tazblog-db

33
tazblog/tazblog.yaml
View file

@ -1,33 +0,0 @@
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: tazblog
spec:
replicas: 2
template:
metadata:
labels:
app: tazblog
spec:
containers:
- image: eu.gcr.io/composite-watch-759/tazblog-haskell:f33723a
imagePullPolicy: Always
name: tazblog
command: ["tazblog", "--dbHost", "tazblog-db.default.svc.cluster.local"]
---
apiVersion: v1
kind: Service
metadata:
name: tazblog-priv
labels:
app: tazblog
annotations:
acme/certificate: "www.tazj.in"
spec:
selector:
app: tazblog
ports:
- port: 80
targetPort: 8000
name: tazblog-http