~talya/vyx

My laptop, server, and cluster Nix configuration. ·

👀

nix

r/o

flux/sources/nossa: bump. 01eb5a7b parent 2ddbb997

authored by ~talya

vyx / flux / sources / nossa / manifest.yaml

---

# Instance: nossa

---

apiVersion: v1

data:

policy.yml: |

bots:

- import: (data)/bots/_deny-pathological.yaml

- import: (data)/bots/aggressive-brazilian-scrapers.yaml

- import: (data)/meta/ai-block-aggressive.yaml

- import: (data)/crawlers/_allow-good.yaml

- import: (data)/clients/x-firefox-ai.yaml

- import: (data)/common/keep-internet-working.yaml

- name: countries-with-aggressive-scrapers

action: WEIGH

geoip:

countries:

- BR

- CN

weight:

adjust: 10

- name: aggressive-asns-without-functional-abuse-contact

action: WEIGH

asns:

match:

- 13335

- 136907

- 45102

weight:

adjust: 10

- name: generic-browser

user_agent_regex: Mozilla|Opera

action: WEIGH

weight:

adjust: 10

dnsbl: false

openGraph:

enabled: true

considerHost: false

ttl: 24h

status_codes:

CHALLENGE: 200

DENY: 200

store:

backend: memory

parameters: {}

thresholds:

- name: minimal-suspicion

expression: weight <= 0

action: ALLOW

- name: mild-suspicion

expression:

all:

- weight > 0

- weight < 10

action: CHALLENGE

challenge:

algorithm: metarefresh

difficulty: 1

report_as: 1

- name: moderate-suspicion

expression:

all:

- weight >= 10

- weight < 20

action: CHALLENGE

challenge:

algorithm: fast

difficulty: 2

report_as: 2

- name: extreme-suspicion

expression: weight >= 20

action: CHALLENGE

challenge:

algorithm: fast

difficulty: 4

report_as: 4

immutable: true

kind: ConfigMap

metadata:

labels:

app.kubernetes.io/managed-by: timoni

app.kubernetes.io/name: nossa

app.kubernetes.io/version: 0.0.0-devel

namespace: nossa

---

apiVersion: v1

data:

CONTEXT_LINK_TITLE: kivikakk.ee

CONTEXT_LINK_URL: https://kivikakk.ee

DATABASE_PRIMARY_DATABASE: nossa

DATABASE_PRIMARY_HOSTNAME: postgres.postgres-cassax.svc.cassax.hrzn.ee

DATABASE_PRIMARY_SSL_VERIFY_NONE: "1"

MIX_ENV: prod

NOSSA_GIT_ROOT: /app/storage/git

NOSSA_MAX_BODY_LENGTH: "1000000000"

NOSSA_SNAME: nossa

OPEN_LISTENER: "1"

PHX_HOST: nossa.ee

PORT: "80"

TELEMETRY_PORT: "81"

immutable: true

kind: ConfigMap

metadata:

labels:

app.kubernetes.io/managed-by: timoni

108

app.kubernetes.io/name: nossa

109

app.kubernetes.io/version: 0.0.0-devel

namespace: nossa

---

apiVersion: v1

kind: Service

metadata:

labels:

app.kubernetes.io/managed-by: timoni

118

app.kubernetes.io/name: nossa

119

app.kubernetes.io/version: 0.0.0-devel

namespace: nossa

spec:

ports:

- name: ingress

port: 80

protocol: TCP

targetPort: anubis

- name: metrics

port: 81

protocol: TCP

targetPort: metrics

- name: anubis-metrics

133

port: 9090

134

protocol: TCP

135

targetPort: anubis-metrics

136

selector:

137

app.kubernetes.io/name: nossa

type: ClusterIP

---

apiVersion: apps/v1

kind: Deployment

metadata:

labels:

app.kubernetes.io/managed-by: timoni

145

app.kubernetes.io/name: nossa

146

app.kubernetes.io/version: 0.0.0-devel

namespace: nossa

spec:

replicas: 1

selector:

matchLabels:

app.kubernetes.io/name: nossa

template:

metadata:

annotations:

enbi.hrzn.ee/nixbuild-flakeUrl: git+https://nossa.ee/~talya/nossa?rev=a6e4ee6e48990f0394d1529f1dbc0ceeac24036d

158

enbi.hrzn.ee/nixbuild-imageTag: nossa.ee/talya/nossa:a6e4ee6e48990f0394d1529f1dbc0ceeac24036d

159

enbi.hrzn.ee/nixbuild-packageName: nossa-docker-stream-layered

160

labels:

161

app.kubernetes.io/name: nossa

spec:

affinity:

nodeAffinity:

requiredDuringSchedulingIgnoredDuringExecution:

166

nodeSelectorTerms:

167

- matchExpressions:

168

- key: kubernetes.io/os

operator: In

values:

- linux

- key: kubernetes.io/hostname

operator: In

values:

- kala

containers:

- env:

- name: DATABASE_PRIMARY_USERNAME

valueFrom:

secretKeyRef:

key: username

- name: DATABASE_PRIMARY_PASSWORD

valueFrom:

secretKeyRef:

key: password

- name: NODE_NAME

valueFrom:

fieldRef:

fieldPath: spec.nodeName

192

- name: SECRET_KEY_BASE

valueFrom:

secretKeyRef:

key: secret-key-base

- name: RELEASE_COOKIE

valueFrom:

secretKeyRef:

key: release-cookie

- name: SMTP_HOST

valueFrom:

fieldRef:

fieldPath: status.hostIP

envFrom:

- configMapRef:

image: nossa.ee/talya/nossa:a6e4ee6e48990f0394d1529f1dbc0ceeac24036d

210

imagePullPolicy: Never

211

livenessProbe:

212

initialDelaySeconds: 5

periodSeconds: 5

tcpSocket:

port: http

ports:

- containerPort: 80

protocol: TCP

- containerPort: 81

protocol: TCP

readinessProbe:

httpGet:

path: /~talya/nossa

port: http

initialDelaySeconds: 5

periodSeconds: 10

resources:

requests:

cpu: 10m

memory: 32Mi

securityContext:

allowPrivilegeEscalation: false

capabilities:

add:

- CHOWN

- NET_BIND_SERVICE

- SETGID

- SETUID

drop:

- ALL

privileged: false

volumeMounts:

- mountPath: /app/storage

- env:

- name: BIND

value: :8080

- name: DIFFICULTY

value: "5"

- name: ED25519_PRIVATE_KEY_HEX

254

valueFrom:

255

secretKeyRef:

256

key: ED25519_PRIVATE_KEY_HEX

- name: METRICS_BIND

value: :9090

- name: SERVE_ROBOTS_TXT

261

value: "false"

262

- name: TARGET

263

value: http://localhost:80

264

- name: POLICY_FNAME

265

value: /anubis-policy/policy.yml

266

image: ghcr.io/techarohq/anubis:latest

267

imagePullPolicy: Always

268

269

ports:

270

- containerPort: 8080

271

272

protocol: TCP

273

- containerPort: 9090

protocol: TCP

resources:

limits:

cpu: 750m

memory: 256Mi

requests:

cpu: 100m

memory: 256Mi

securityContext:

allowPrivilegeEscalation: false

capabilities:

drop:

- ALL

runAsGroup: 1000

runAsNonRoot: true

runAsUser: 1000

seccompProfile:

type: RuntimeDefault

volumeMounts:

- mountPath: /anubis-policy

initContainers:

- command:

- /bin/nossa-epmd

- -d

image: nossa.ee/talya/nossa:a6e4ee6e48990f0394d1529f1dbc0ceeac24036d

301

imagePullPolicy: Never

302

livenessProbe:

303

initialDelaySeconds: 5

periodSeconds: 5

tcpSocket:

port: 4369

restartPolicy: Always

309

volumes:

310

- name: pvs

311

persistentVolumeClaim:

claimName: nossa

- configMap:

---

apiVersion: v1

kind: PersistentVolumeClaim

319

metadata:

320

labels:

321

app.kubernetes.io/managed-by: timoni

322

app.kubernetes.io/name: nossa

323

app.kubernetes.io/version: 0.0.0-devel

namespace: nossa

spec:

accessModes:

- ReadWriteOnce

resources:

requests:

storage: 20Gi

---

apiVersion: gateway.envoyproxy.io/v1alpha1

334

kind: BackendTrafficPolicy

metadata:

namespace: nossa

spec:

targetRefs:

- group: gateway.networking.k8s.io

kind: HTTPRoute

timeout:

http:

connectionIdleTimeout: 3600s

346

requestTimeout: 3600s

347

---

348

apiVersion: gateway.networking.k8s.io/v1

kind: HTTPRoute

metadata:

annotations:

external-dns.alpha.kubernetes.io/hostname: nossa.ee.

353

external-dns.alpha.kubernetes.io/ttl: 24h

354

labels:

355

app.kubernetes.io/managed-by: timoni

356

app.kubernetes.io/name: nossa

357

app.kubernetes.io/version: 0.0.0-devel

namespace: nossa

spec:

hostnames:

- nossa.ee

parentRefs:

- name: eg

namespace: envoy-gateway-system

366

sectionName: https-nossa-ee

rules:

- backendRefs:

- name: nossa

port: 80

---

apiVersion: gateway.networking.k8s.io/v1

kind: HTTPRoute

metadata:

labels:

app.kubernetes.io/managed-by: timoni

377

app.kubernetes.io/name: nossa

378

app.kubernetes.io/version: 0.0.0-devel

namespace: nossa

spec:

hostnames:

- www.nossa.ee

parentRefs:

- name: eg

namespace: envoy-gateway-system

387

sectionName: https-www-nossa-ee

rules:

- filters:

- requestRedirect:

hostname: nossa.ee

statusCode: 301

type: RequestRedirect

394