ab/homelab
1
0
Fork 1
Code Pull Requests Actions Packages Wiki Activity

Changed syncthing access and auth scheme
All checks were successful
Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 11s
Details
Check with kubeconform / lint (push) Successful in 12s
Details

Browse Source
This commit is contained in:
AB from home.homenet
2025-10-12 13:16:10 +03:00
parent 479a2a02ea
commit 00837fb238
4 changed files with 203 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

85
k8s/apps/syncthing/asset-router.yaml Normal file
View File

@@ -0,0 +1,85 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-router-config
namespace: syncthing
data:
default.conf: |
server {
listen 80;
server_name _;
# Route assets based on cookie or referer
location / {
# Check cookie first
if ($cookie_syncthing_instance = "nas") {
proxy_pass http://syncthing-nas:8384;
}
if ($cookie_syncthing_instance = "master") {
proxy_pass http://syncthing-master:8384;
}
if ($cookie_syncthing_instance = "iris") {
proxy_pass http://syncthing-khv:8384;
}
# Check referer as fallback
if ($http_referer ~ "/nas") {
proxy_pass http://syncthing-nas:8384;
}
if ($http_referer ~ "/master") {
proxy_pass http://syncthing-master:8384;
}
if ($http_referer ~ "/iris") {
proxy_pass http://syncthing-khv:8384;
}
# Default to nas if no match
proxy_pass http://syncthing-nas:8384;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: syncthing-router
namespace: syncthing
spec:
replicas: 1
selector:
matchLabels:
app: syncthing-router
template:
metadata:
labels:
app: syncthing-router
spec:
containers:
- name: nginx
image: nginx:alpine
ports:
- containerPort: 80
volumeMounts:
- name: config
mountPath: /etc/nginx/conf.d
volumes:
- name: config
configMap:
name: nginx-router-config
---
apiVersion: v1
kind: Service
metadata:
name: syncthing-router
namespace: syncthing
spec:
selector:
app: syncthing-router
ports:
- protocol: TCP
port: 80
targetPort: 80

38
k8s/apps/syncthing/ingress-route.yaml
View File

@@ -7,7 +7,8 @@ spec:
entryPoints: entryPoints:
- websecure - websecure
routes: routes:
- match: Host(`ss.hexor.cy`) # Landing page
- match: Host(`ss.hexor.cy`) && Path(`/`)
kind: Rule kind: Rule
services: services:
- name: syncthing-landing - name: syncthing-landing
@@ -15,35 +16,70 @@ spec:
middlewares: middlewares:
- name: authentik-forward-auth - name: authentik-forward-auth
namespace: syncthing namespace: syncthing
# NAS instance and its assets
- match: Host(`ss.hexor.cy`) && PathPrefix(`/nas`) - match: Host(`ss.hexor.cy`) && PathPrefix(`/nas`)
kind: Rule kind: Rule
priority: 100
services: services:
- name: syncthing-nas - name: syncthing-nas
port: 8384 port: 8384
middlewares: middlewares:
- name: authentik-forward-auth - name: authentik-forward-auth
namespace: syncthing namespace: syncthing
- name: syncthing-headers-nas
namespace: syncthing
- name: set-cookie-nas
namespace: syncthing
- name: strip-prefix-nas - name: strip-prefix-nas
namespace: syncthing namespace: syncthing
# Master instance and its assets
- match: Host(`ss.hexor.cy`) && PathPrefix(`/master`) - match: Host(`ss.hexor.cy`) && PathPrefix(`/master`)
kind: Rule kind: Rule
priority: 100
services: services:
- name: syncthing-master - name: syncthing-master
port: 8384 port: 8384
middlewares: middlewares:
- name: authentik-forward-auth - name: authentik-forward-auth
namespace: syncthing namespace: syncthing
- name: syncthing-headers-master
namespace: syncthing
- name: set-cookie-master
namespace: syncthing
- name: strip-prefix-master - name: strip-prefix-master
namespace: syncthing namespace: syncthing
# Iris instance and its assets
- match: Host(`ss.hexor.cy`) && PathPrefix(`/iris`) - match: Host(`ss.hexor.cy`) && PathPrefix(`/iris`)
kind: Rule kind: Rule
priority: 100
services: services:
- name: syncthing-khv - name: syncthing-khv
port: 8384 port: 8384
middlewares: middlewares:
- name: authentik-forward-auth - name: authentik-forward-auth
namespace: syncthing namespace: syncthing
- name: syncthing-headers-iris
namespace: syncthing
- name: set-cookie-iris
namespace: syncthing
- name: strip-prefix-iris - name: strip-prefix-iris
namespace: syncthing namespace: syncthing
# Catch all static assets and route based on referer header
- match: Host(`ss.hexor.cy`) && (PathPrefix(`/vendor`) || PathPrefix(`/theme-assets`) || PathPrefix(`/meta`) || PathPrefix(`/syncthing`))
kind: Rule
priority: 50
services:
- name: syncthing-router
namespace: syncthing
port: 80
middlewares:
- name: authentik-forward-auth
namespace: syncthing
- name: asset-router
namespace: syncthing
tls: tls:
secretName: syncthing-tls secretName: syncthing-tls

1
k8s/apps/syncthing/kustomization.yaml
View File

@@ -7,6 +7,7 @@ resources:
- ingress-route.yaml - ingress-route.yaml
- middleware.yaml - middleware.yaml
- landing-page.yaml - landing-page.yaml
- asset-router.yaml
helmCharts: helmCharts:
- name: syncthing - name: syncthing

79
k8s/apps/syncthing/middleware.yaml
View File

@@ -24,6 +24,7 @@ spec:
stripPrefix: stripPrefix:
prefixes: prefixes:
- /nas - /nas
forceSlash: false
--- ---
apiVersion: traefik.io/v1alpha1 apiVersion: traefik.io/v1alpha1
kind: Middleware kind: Middleware
@@ -34,6 +35,7 @@ spec:
stripPrefix: stripPrefix:
prefixes: prefixes:
- /master - /master
forceSlash: false
--- ---
apiVersion: traefik.io/v1alpha1 apiVersion: traefik.io/v1alpha1
kind: Middleware kind: Middleware
@@ -44,3 +46,80 @@ spec:
stripPrefix: stripPrefix:
prefixes: prefixes:
- /iris - /iris
forceSlash: false
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: syncthing-headers-nas
namespace: syncthing
spec:
headers:
customRequestHeaders:
X-Forwarded-Prefix: "/nas"
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: syncthing-headers-master
namespace: syncthing
spec:
headers:
customRequestHeaders:
X-Forwarded-Prefix: "/master"
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: syncthing-headers-iris
namespace: syncthing
spec:
headers:
customRequestHeaders:
X-Forwarded-Prefix: "/iris"
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: set-cookie-nas
namespace: syncthing
spec:
headers:
customResponseHeaders:
Set-Cookie: "syncthing_instance=nas; Path=/; HttpOnly"
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: set-cookie-master
namespace: syncthing
spec:
headers:
customResponseHeaders:
Set-Cookie: "syncthing_instance=master; Path=/; HttpOnly"
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: set-cookie-iris
namespace: syncthing
spec:
headers:
customResponseHeaders:
Set-Cookie: "syncthing_instance=iris; Path=/; HttpOnly"
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: asset-router
namespace: syncthing
spec:
plugin:
simplerouter:
routes:
- match: Header(`Referer`, `.*\/nas.*`)
service: syncthing-nas
- match: Header(`Referer`, `.*\/master.*`)
service: syncthing-master
- match: Header(`Referer`, `.*\/iris.*`)
service: syncthing-khv