fix(nginx): configuration, annotations and remove maxmind

kubernetes/apps/database/emqx/cluster/ingress.yaml

@@ -3,8 +3,6 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: emqx-dashboard
-  annotations:
-    external-dns.alpha.kubernetes.io/target: internal.${DOMAIN}
 spec:
   rules:
     - host: emqx.${DOMAIN}

kubernetes/apps/default/mealie/app/helmrelease.yaml

@@ -83,8 +83,6 @@ spec:
     ingress:
       app:
         className: external
-        annotations:
-          external-dns.alpha.kubernetes.io/target: external.${DOMAIN}
         hosts:
           - host: mealie.${DOMAIN}
             paths:

kubernetes/apps/default/miniflux/app/helmrelease.yaml

@@ -101,8 +101,6 @@ spec:
     ingress:
       app:
         className: external
-        annotations:
-          external-dns.alpha.kubernetes.io/target: external.${DOMAIN}
         hosts:
           - host: miniflux.${DOMAIN}
             paths:

kubernetes/apps/default/paperless/app/helmrelease.yaml

@@ -72,8 +72,6 @@ spec:
     ingress:
       app:
         className: internal
-        annotations:
-          external-dns.alpha.kubernetes.io/target: internal.${DOMAIN}
         hosts:
           - host: paperless.${DOMAIN}
             paths:

kubernetes/apps/default/vaultwarden/app/helmrelease.yaml

@@ -77,7 +77,6 @@ spec:
       app:
         className: external
         annotations:
-          external-dns.alpha.kubernetes.io/target: external.${DOMAIN}
           # disabled for 40x because it is used for the API
           nginx.ingress.kubernetes.io/custom-http-errors: 500,501,502,503,504,505,506,510
         hosts:
@@ -90,7 +89,6 @@ spec:
       admin:
         className: external
         annotations:
-          external-dns.alpha.kubernetes.io/target: external.${DOMAIN}
           # disabled for 40x because it is used for the authentication
           nginx.ingress.kubernetes.io/custom-http-errors: 500,501,502,503,504,505,506,510
           nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16

kubernetes/apps/download/qbittorrent/app/helmrelease.yaml

@@ -115,7 +115,6 @@ spec:
       app:
         className: external
         annotations:
-          external-dns.alpha.kubernetes.io/target: external.${DOMAIN}
           nginx.ingress.kubernetes.io/auth-method: GET
           nginx.ingress.kubernetes.io/auth-url: http://authelia.security.svc.cluster.local/api/verify
           nginx.ingress.kubernetes.io/auth-signin: https://auth.${DOMAIN}?rm=$request_method

kubernetes/apps/download/sabnzbd/app/helmrelease.yaml

@@ -87,7 +87,6 @@ spec:
       app:
         className: external
         annotations:
-          external-dns.alpha.kubernetes.io/target: external.${DOMAIN}
           nginx.ingress.kubernetes.io/auth-method: GET
           nginx.ingress.kubernetes.io/auth-url: http://authelia.security.svc.cluster.local/api/verify
           nginx.ingress.kubernetes.io/auth-signin: https://auth.${DOMAIN}?rm=$request_method

kubernetes/apps/flux-system/addons/app/webhooks/github/ingress.yaml

@@ -4,7 +4,6 @@ kind: Ingress
 metadata:
   name: flux-webhook
   annotations:
-    external-dns.alpha.kubernetes.io/target: external.${DOMAIN}
     # disabled
     nginx.ingress.kubernetes.io/custom-http-errors: 599
 spec:

kubernetes/apps/home-automation/frigate/app/helmrelease.yaml

@@ -77,8 +77,6 @@ spec:
     ingress:
       app:
         className: internal
-        annotations:
-          external-dns.alpha.kubernetes.io/target: internal.${DOMAIN}
         hosts:
           - host: frigate.${DOMAIN}
             paths:

kubernetes/apps/home-automation/go2rtc/app/helmrelease.yaml

@@ -81,8 +81,6 @@ spec:
     ingress:
       app:
         className: internal
-        annotations:
-          external-dns.alpha.kubernetes.io/target: internal.${DOMAIN}
         hosts:
           - host: go2rtc.${DOMAIN}
             paths:

kubernetes/apps/home-automation/home-assistant/app/helmrelease.yaml

@@ -84,7 +84,6 @@ spec:
       app:
         className: external
         annotations:
-          external-dns.alpha.kubernetes.io/target: external.${DOMAIN}
           # disabled for 403
           nginx.ingress.kubernetes.io/custom-http-errors: 400,404,405,409,410,411,412,413,414,415,416,417,418,421,425,431,451,500,501,502,503,504,505,506,510
         hosts:
@@ -97,7 +96,6 @@ spec:
       code-server:
         className: internal
         annotations:
-          external-dns.alpha.kubernetes.io/target: internal.${DOMAIN}
           # disabled for 404
           nginx.ingress.kubernetes.io/custom-http-errors: 400,403,405,409,410,411,412,413,414,415,416,417,418,421,425,431,451,500,501,502,503,504,505,506,510
         hosts:

kubernetes/apps/home-automation/zigbee2mqtt-old/app/helmrelease.yaml

@@ -97,8 +97,6 @@ spec:
     ingress:
       app:
         className: internal
-        annotations:
-          external-dns.alpha.kubernetes.io/target: internal.${DOMAIN}
         hosts:
           - host: zigbee2mqtt-old.${DOMAIN}
             paths:

kubernetes/apps/kube-system/cilium/app/helmrelease.yaml

@@ -54,8 +54,6 @@ spec:
         ingress:
           enabled: true
           className: internal
-          annotations:
-            external-dns.alpha.kubernetes.io/target: internal.${DOMAIN}
           hosts: ["hubble.${DOMAIN}"]
     operator:
       prometheus:

kubernetes/apps/media/audiobookshelf/app/helmrelease.yaml

@@ -80,8 +80,6 @@ spec:
     ingress:
       app:
         className: external
-        annotations:
-          external-dns.alpha.kubernetes.io/target: external.${DOMAIN}
         hosts:
           - host: audiobookshelf.${DOMAIN}
             paths:

kubernetes/apps/media/autobrr/app/helmrelease.yaml

@@ -85,7 +85,6 @@ spec:
       app:
         className: internal
         annotations:
-          external-dns.alpha.kubernetes.io/target: internal.${DOMAIN}
           # disabled for 40x and 503 because it is used for authentication and onboarding
           nginx.ingress.kubernetes.io/custom-http-errors: 500,501,502,504,505,506,510
         hosts:

kubernetes/apps/media/jellyfin/app/helmrelease.yaml

@@ -97,8 +97,6 @@ spec:
     ingress:
       app:
         className: external
-        annotations:
-          external-dns.alpha.kubernetes.io/target: external.${DOMAIN}
         hosts:
           - host: jellyfin.${DOMAIN}
             paths:

kubernetes/apps/media/jellyseerr/app/helmrelease.yaml

@@ -78,8 +78,6 @@ spec:
     ingress:
       app:
         className: internal
-        annotations:
-          external-dns.alpha.kubernetes.io/target: internal.${DOMAIN}
         hosts:
           - host: jellyseerr.${DOMAIN}
             paths:

kubernetes/apps/media/jellystat/app/helmrelease.yaml

@@ -80,8 +80,6 @@ spec:
     ingress:
       app:
         className: internal
-        annotations:
-          external-dns.alpha.kubernetes.io/target: internal.${DOMAIN}
         hosts:
           - host: jellystat.${DOMAIN}
             paths:

kubernetes/apps/media/kavita/app/helmrelease.yaml

@@ -62,8 +62,6 @@ spec:
     ingress:
       app:
         className: external
-        annotations:
-          external-dns.alpha.kubernetes.io/target: external.${DOMAIN}
         hosts:
           - host: kavita.${DOMAIN}
             paths:

kubernetes/apps/media/lidarr/app/helmrelease.yaml

@@ -71,7 +71,6 @@ spec:
       app:
         className: external
         annotations:
-          external-dns.alpha.kubernetes.io/target: external.${DOMAIN}
           nginx.ingress.kubernetes.io/auth-method: GET
           nginx.ingress.kubernetes.io/auth-url: http://authelia.security.svc.cluster.local/api/verify
           nginx.ingress.kubernetes.io/auth-signin: https://auth.${DOMAIN}?rm=$request_method

kubernetes/apps/media/prowlarr/app/helmrelease.yaml

@@ -84,7 +84,6 @@ spec:
       app:
         className: external
         annotations:
-          external-dns.alpha.kubernetes.io/target: external.${DOMAIN}
           nginx.ingress.kubernetes.io/auth-method: GET
           nginx.ingress.kubernetes.io/auth-url: http://authelia.security.svc.cluster.local/api/verify
           nginx.ingress.kubernetes.io/auth-signin: https://auth.${DOMAIN}?rm=$request_method

kubernetes/apps/media/radarr/app/helmrelease.yaml

@@ -84,7 +84,6 @@ spec:
       app:
         className: external
         annotations:
-          external-dns.alpha.kubernetes.io/target: external.${DOMAIN}
           nginx.ingress.kubernetes.io/auth-method: GET
           nginx.ingress.kubernetes.io/auth-url: http://authelia.security.svc.cluster.local/api/verify
           nginx.ingress.kubernetes.io/auth-signin: https://auth.${DOMAIN}?rm=$request_method

kubernetes/apps/media/readarr-audio/app/helmrelease.yaml

@@ -84,7 +84,6 @@ spec:
       app:
         className: external
         annotations:
-          external-dns.alpha.kubernetes.io/target: external.${DOMAIN}
           nginx.ingress.kubernetes.io/auth-method: GET
           nginx.ingress.kubernetes.io/auth-url: http://authelia.security.svc.cluster.local/api/verify
           nginx.ingress.kubernetes.io/auth-signin: https://auth.${DOMAIN}?rm=$request_method

kubernetes/apps/media/readarr/app/helmrelease.yaml

@@ -84,7 +84,6 @@ spec:
       app:
         className: external
         annotations:
-          external-dns.alpha.kubernetes.io/target: external.${DOMAIN}
           nginx.ingress.kubernetes.io/auth-method: GET
           nginx.ingress.kubernetes.io/auth-url: http://authelia.security.svc.cluster.local/api/verify
           nginx.ingress.kubernetes.io/auth-signin: https://auth.${DOMAIN}?rm=$request_method

kubernetes/apps/media/sonarr/app/helmrelease.yaml

@@ -83,7 +83,6 @@ spec:
       app:
         className: external
         annotations:
-          external-dns.alpha.kubernetes.io/target: external.${DOMAIN}
           nginx.ingress.kubernetes.io/auth-method: GET
           nginx.ingress.kubernetes.io/auth-url: http://authelia.security.svc.cluster.local/api/verify
           nginx.ingress.kubernetes.io/auth-signin: https://auth.${DOMAIN}?rm=$request_method

kubernetes/apps/network/echo-server/app/helmrelease.yaml

@@ -92,8 +92,6 @@ spec:
     ingress:
       app:
         className: external
-        annotations:
-          external-dns.alpha.kubernetes.io/target: external.${DOMAIN}
         hosts:
           - host: echo-server.${DOMAIN}
             paths:

kubernetes/apps/network/nginx/external/helmrelease.yaml

@@ -29,7 +29,7 @@ spec:
       service:
         enableHttp: false
         annotations:
-          external-dns.alpha.kubernetes.io/hostname: external.${DOMAIN}
+          external-dns.alpha.kubernetes.io/hostname: &hostname external.${DOMAIN}
           lbipam.cilium.io/ips: ${INGRESS_NGINX_EXTERNAL_IP}
       ingressClassResource:
         name: external
@@ -43,15 +43,22 @@ spec:
               values: ["external"]
       allowSnippetAnnotations: true
       config:
-        # taken from https://github.com/superseriousbusiness/gotosocial/blob/main/internal/web/robots.go
-        block-user-agents: "GPTBot,~*GPTBot*,ChatGPT-User,~*ChatGPT-User*,Google-Extended,~*Google-Extended*,CCBot,~*CCBot*,Omgilibot,~*Omgilibot*,FacebookBot,~*FacebookBot*"
-        client-body-buffer-size: 50M
+        allow-snippet-annotations: true
+        annotations-risk-level: Critical
+        # taken from https://github.com/ai-robots-txt/ai.robots.txt
+        block-user-agents: "AdsBot-Google,Amazonbot,anthropic-ai,Applebot-Extended,Bytespider,CCBot,ChatGPT-User,ClaudeBot,Claude-Web,cohere-ai,Diffbot,FacebookBot,FriendlyCrawler,Google-Extended,GoogleOther,GPTBot,img2dataset,omgili,omgilibot,peer39_crawler,peer39_crawler/1.0,PerplexityBot,YouBot,"
+        client-body-buffer-size: 100M
+        client-body-timeout: 120
+        client-header-timeout: 120
         custom-http-errors: 400,403,404,405,409,410,411,412,413,414,415,416,417,418,421,425,431,451,500,501,502,503,504,505,506,510
         enable-brotli: "true"
         enable-ocsp: "true"
         enable-real-ip: "true"
         force-ssl-redirect: "true"
         hide-headers: Server,X-Powered-By
+        hsts-max-age: 31449600
+        keep-alive-requests: 10000
+        keep-alive: 120
         log-format-escape-json: "true"
         log-format-upstream: >
           {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr",
@@ -64,7 +71,6 @@ spec:
         proxy-body-size: 0
         proxy-buffer-size: 16k
         ssl-protocols: TLSv1.3 TLSv1.2
-        use-geoip2: "true"
         use-forwarded-headers: "true"
       metrics:
         enabled: true
@@ -74,6 +80,10 @@ spec:
             any: true
       extraArgs:
         default-ssl-certificate: network/${DOMAIN/./-}-tls
+        publish-status-address: *hostname
+      terminationGracePeriodSeconds: 120
+      publishService:
+        enabled: false
       resources:
         requests:
           cpu: 100m
@@ -97,8 +107,3 @@ spec:
       extraEnvs:
         - name: TEMPLATE_NAME
           value: app-down
-  valuesFrom:
-    - targetPath: controller.maxmindLicenseKey
-      kind: Secret
-      name: nginx-external-maxmind
-      valuesKey: MAXMIND_LICENSE_KEY

kubernetes/apps/network/nginx/external/kustomization.yaml

@@ -4,4 +4,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ./helmrelease.yaml
-  - ./maxmind-secret.sops.yaml