Fix: Changed syncthing access and auth scheme
All checks were successful
Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 12s
Check with kubeconform / lint (push) Successful in 13s

This commit is contained in:
AB from home.homenet
2025-10-12 13:29:10 +03:00
parent 00837fb238
commit aa19cd8e61
7 changed files with 255 additions and 403 deletions

View File

@@ -1,85 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-router-config
namespace: syncthing
data:
default.conf: |
server {
listen 80;
server_name _;
# Route assets based on cookie or referer
location / {
# Check cookie first
if ($cookie_syncthing_instance = "nas") {
proxy_pass http://syncthing-nas:8384;
}
if ($cookie_syncthing_instance = "master") {
proxy_pass http://syncthing-master:8384;
}
if ($cookie_syncthing_instance = "iris") {
proxy_pass http://syncthing-khv:8384;
}
# Check referer as fallback
if ($http_referer ~ "/nas") {
proxy_pass http://syncthing-nas:8384;
}
if ($http_referer ~ "/master") {
proxy_pass http://syncthing-master:8384;
}
if ($http_referer ~ "/iris") {
proxy_pass http://syncthing-khv:8384;
}
# Default to nas if no match
proxy_pass http://syncthing-nas:8384;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: syncthing-router
namespace: syncthing
spec:
replicas: 1
selector:
matchLabels:
app: syncthing-router
template:
metadata:
labels:
app: syncthing-router
spec:
containers:
- name: nginx
image: nginx:alpine
ports:
- containerPort: 80
volumeMounts:
- name: config
mountPath: /etc/nginx/conf.d
volumes:
- name: config
configMap:
name: nginx-router-config
---
apiVersion: v1
kind: Service
metadata:
name: syncthing-router
namespace: syncthing
spec:
selector:
app: syncthing-router
ports:
- protocol: TCP
port: 80
targetPort: 80

View File

@@ -1,85 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: syncthing-ingressroute
namespace: syncthing
spec:
entryPoints:
- websecure
routes:
# Landing page
- match: Host(`ss.hexor.cy`) && Path(`/`)
kind: Rule
services:
- name: syncthing-landing
port: 80
middlewares:
- name: authentik-forward-auth
namespace: syncthing
# NAS instance and its assets
- match: Host(`ss.hexor.cy`) && PathPrefix(`/nas`)
kind: Rule
priority: 100
services:
- name: syncthing-nas
port: 8384
middlewares:
- name: authentik-forward-auth
namespace: syncthing
- name: syncthing-headers-nas
namespace: syncthing
- name: set-cookie-nas
namespace: syncthing
- name: strip-prefix-nas
namespace: syncthing
# Master instance and its assets
- match: Host(`ss.hexor.cy`) && PathPrefix(`/master`)
kind: Rule
priority: 100
services:
- name: syncthing-master
port: 8384
middlewares:
- name: authentik-forward-auth
namespace: syncthing
- name: syncthing-headers-master
namespace: syncthing
- name: set-cookie-master
namespace: syncthing
- name: strip-prefix-master
namespace: syncthing
# Iris instance and its assets
- match: Host(`ss.hexor.cy`) && PathPrefix(`/iris`)
kind: Rule
priority: 100
services:
- name: syncthing-khv
port: 8384
middlewares:
- name: authentik-forward-auth
namespace: syncthing
- name: syncthing-headers-iris
namespace: syncthing
- name: set-cookie-iris
namespace: syncthing
- name: strip-prefix-iris
namespace: syncthing
# Catch all static assets and route based on referer header
- match: Host(`ss.hexor.cy`) && (PathPrefix(`/vendor`) || PathPrefix(`/theme-assets`) || PathPrefix(`/meta`) || PathPrefix(`/syncthing`))
kind: Rule
priority: 50
services:
- name: syncthing-router
namespace: syncthing
port: 80
middlewares:
- name: authentik-forward-auth
namespace: syncthing
- name: asset-router
namespace: syncthing
tls:
secretName: syncthing-tls

View File

@@ -4,10 +4,8 @@ kind: Kustomization
resources: resources:
- app.yaml - app.yaml
- ingress-route.yaml - nginx-router.yaml
- middleware.yaml - traefik-simple.yaml
- landing-page.yaml
- asset-router.yaml
helmCharts: helmCharts:
- name: syncthing - name: syncthing

View File

@@ -1,103 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: syncthing-landing-html
namespace: syncthing
data:
index.html: |
<!DOCTYPE html>
<html>
<head>
<title>Syncthing Instances</title>
<style>
body {
font-family: Arial, sans-serif;
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
margin: 0;
background-color: #f0f0f0;
}
.container {
text-align: center;
background: white;
padding: 40px;
border-radius: 10px;
box-shadow: 0 2px 10px rgba(0,0,0,0.1);
}
h1 {
color: #333;
margin-bottom: 30px;
}
.links {
display: flex;
flex-direction: column;
gap: 15px;
}
a {
display: inline-block;
padding: 15px 30px;
background-color: #0078e7;
color: white;
text-decoration: none;
border-radius: 5px;
transition: background-color 0.3s;
}
a:hover {
background-color: #0056b3;
}
</style>
</head>
<body>
<div class="container">
<h1>Syncthing Instances</h1>
<div class="links">
<a href="/nas">NAS Instance</a>
<a href="/master">Master Instance</a>
<a href="/iris">Iris Instance</a>
</div>
</div>
</body>
</html>
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: syncthing-landing
namespace: syncthing
spec:
replicas: 1
selector:
matchLabels:
app: syncthing-landing
template:
metadata:
labels:
app: syncthing-landing
spec:
containers:
- name: nginx
image: nginx:alpine
ports:
- containerPort: 80
volumeMounts:
- name: html
mountPath: /usr/share/nginx/html
volumes:
- name: html
configMap:
name: syncthing-landing-html
---
apiVersion: v1
kind: Service
metadata:
name: syncthing-landing
namespace: syncthing
spec:
selector:
app: syncthing-landing
ports:
- protocol: TCP
port: 80
targetPort: 80

View File

@@ -1,125 +0,0 @@
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: authentik-forward-auth
namespace: syncthing
spec:
forwardAuth:
address: http://authentik-server.authentik.svc.cluster.local/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: strip-prefix-nas
namespace: syncthing
spec:
stripPrefix:
prefixes:
- /nas
forceSlash: false
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: strip-prefix-master
namespace: syncthing
spec:
stripPrefix:
prefixes:
- /master
forceSlash: false
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: strip-prefix-iris
namespace: syncthing
spec:
stripPrefix:
prefixes:
- /iris
forceSlash: false
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: syncthing-headers-nas
namespace: syncthing
spec:
headers:
customRequestHeaders:
X-Forwarded-Prefix: "/nas"
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: syncthing-headers-master
namespace: syncthing
spec:
headers:
customRequestHeaders:
X-Forwarded-Prefix: "/master"
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: syncthing-headers-iris
namespace: syncthing
spec:
headers:
customRequestHeaders:
X-Forwarded-Prefix: "/iris"
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: set-cookie-nas
namespace: syncthing
spec:
headers:
customResponseHeaders:
Set-Cookie: "syncthing_instance=nas; Path=/; HttpOnly"
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: set-cookie-master
namespace: syncthing
spec:
headers:
customResponseHeaders:
Set-Cookie: "syncthing_instance=master; Path=/; HttpOnly"
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: set-cookie-iris
namespace: syncthing
spec:
headers:
customResponseHeaders:
Set-Cookie: "syncthing_instance=iris; Path=/; HttpOnly"
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: asset-router
namespace: syncthing
spec:
plugin:
simplerouter:
routes:
- match: Header(`Referer`, `.*\/nas.*`)
service: syncthing-nas
- match: Header(`Referer`, `.*\/master.*`)
service: syncthing-master
- match: Header(`Referer`, `.*\/iris.*`)
service: syncthing-khv

View File

@@ -0,0 +1,216 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-config
namespace: syncthing
data:
default.conf: |
server {
listen 80;
server_name _;
# Landing page
location = / {
root /usr/share/nginx/html;
try_files /index.html =404;
}
# NAS instance
location /nas {
rewrite ^/nas$ /nas/ permanent;
}
location /nas/ {
proxy_pass http://syncthing-nas:8384/;
# Important: tell syncthing that we're using /nas as base path
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Handle websockets
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Sub filter to fix asset paths
sub_filter 'href="/' 'href="/nas/';
sub_filter 'src="/' 'src="/nas/';
sub_filter 'url(/' 'url(/nas/';
sub_filter '"/meta' '"/nas/meta';
sub_filter '"/rest' '"/nas/rest';
sub_filter '"/vendor' '"/nas/vendor';
sub_filter '"/theme-assets' '"/nas/theme-assets';
sub_filter '"/syncthing' '"/nas/syncthing';
sub_filter_once off;
sub_filter_types text/html text/css application/javascript;
}
# Master instance
location /master {
rewrite ^/master$ /master/ permanent;
}
location /master/ {
proxy_pass http://syncthing-master:8384/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
sub_filter 'href="/' 'href="/master/';
sub_filter 'src="/' 'src="/master/';
sub_filter 'url(/' 'url(/master/';
sub_filter '"/meta' '"/master/meta';
sub_filter '"/rest' '"/master/rest';
sub_filter '"/vendor' '"/master/vendor';
sub_filter '"/theme-assets' '"/master/theme-assets';
sub_filter '"/syncthing' '"/master/syncthing';
sub_filter_once off;
sub_filter_types text/html text/css application/javascript;
}
# Iris instance
location /iris {
rewrite ^/iris$ /iris/ permanent;
}
location /iris/ {
proxy_pass http://syncthing-khv:8384/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
sub_filter 'href="/' 'href="/iris/';
sub_filter 'src="/' 'src="/iris/';
sub_filter 'url(/' 'url(/iris/';
sub_filter '"/meta' '"/iris/meta';
sub_filter '"/rest' '"/iris/rest';
sub_filter '"/vendor' '"/iris/vendor';
sub_filter '"/theme-assets' '"/iris/theme-assets';
sub_filter '"/syncthing' '"/iris/syncthing';
sub_filter_once off;
sub_filter_types text/html text/css application/javascript;
}
}
index.html: |
<!DOCTYPE html>
<html>
<head>
<title>Syncthing Instances</title>
<style>
body {
font-family: Arial, sans-serif;
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
margin: 0;
background-color: #f0f0f0;
}
.container {
text-align: center;
background: white;
padding: 40px;
border-radius: 10px;
box-shadow: 0 2px 10px rgba(0,0,0,0.1);
}
h1 {
color: #333;
margin-bottom: 30px;
}
.links {
display: flex;
flex-direction: column;
gap: 15px;
}
a {
display: inline-block;
padding: 15px 30px;
background-color: #0078e7;
color: white;
text-decoration: none;
border-radius: 5px;
transition: background-color 0.3s;
}
a:hover {
background-color: #0056b3;
}
</style>
</head>
<body>
<div class="container">
<h1>Syncthing Instances</h1>
<div class="links">
<a href="/nas/">NAS Instance</a>
<a href="/master/">Master Instance</a>
<a href="/iris/">Iris Instance</a>
</div>
</div>
</body>
</html>
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: syncthing-router
namespace: syncthing
spec:
replicas: 1
selector:
matchLabels:
app: syncthing-router
template:
metadata:
labels:
app: syncthing-router
spec:
containers:
- name: nginx
image: nginx:alpine
ports:
- containerPort: 80
volumeMounts:
- name: config
mountPath: /etc/nginx/conf.d
- name: html
mountPath: /usr/share/nginx/html
volumes:
- name: config
configMap:
name: nginx-config
items:
- key: default.conf
path: default.conf
- name: html
configMap:
name: nginx-config
items:
- key: index.html
path: index.html
---
apiVersion: v1
kind: Service
metadata:
name: syncthing-router
namespace: syncthing
spec:
selector:
app: syncthing-router
ports:
- protocol: TCP
port: 80
targetPort: 80

View File

@@ -0,0 +1,36 @@
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: syncthing-ingressroute
namespace: syncthing
spec:
entryPoints:
- websecure
routes:
- match: Host(`ss.hexor.cy`)
kind: Rule
services:
- name: syncthing-router
port: 80
middlewares:
- name: authentik-forward-auth
namespace: syncthing
tls:
secretName: syncthing-tls
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: authentik-forward-auth
namespace: syncthing
spec:
forwardAuth:
address: http://authentik-server.authentik.svc.cluster.local/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid