add media proxy

AokiApp · Feb 17, 2024 · c21ccad · c21ccad
1 parent c08d4af
commit c21ccad
Show file tree

Hide file tree

Showing 12 changed files with 237 additions and 5 deletions.
diff --git a/.github/workflows/build-publish-ghcr.yml b/.github/workflows/build-publish-ghcr.yml
@@ -0,0 +1,55 @@
+name: Push Docker image to GitHub Container Registry
+on:
+  push:
+  workflow_dispatch:
+
+jobs:
+  push_to_registry:
+    name: build
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        name:
+          - mediaproxy
+    permissions:
+      packages: write
+      contents: read
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v2
+      - name: Cache Docker layers
+        uses: actions/cache@v2
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ matrix.name }}-buildx-${{ github.sha }}
+          restore-keys: |
+            ${{ matrix.name }}-buildx-
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@master
+        with:
+          platforms: arm64
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      - name: Log in to GitHub Docker Registry
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build Docker image
+        uses: docker/build-push-action@v2
+        with:
+          push: true
+          context: images/${{ matrix.name }}
+          # platforms: linux/amd64,linux/arm64
+          platforms: linux/amd64
+          tags: |
+            ghcr.io/${{ github.repository }}/${{ matrix.name }}:${{ github.sha }}
+            ghcr.io/${{ github.repository }}/${{ matrix.name }}:latest
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache-1,mode=max
+      - name: Move cache
+        run: |
+          rm -rf /tmp/.buildx-cache
+          mv /tmp/.buildx-cache-1 /tmp/.buildx-cache
diff --git a/images/mediaproxy/Dockerfile b/images/mediaproxy/Dockerfile
@@ -0,0 +1,30 @@
+# Using Node.js version 20
+FROM node:20
+
+# Install git
+RUN apt-get update && apt-get install -y git
+
+# make the directory
+RUN mkdir -p /usr/src/app
+
+# Set up the working directory
+WORKDIR /usr/src/app
+
+# Fetch the latest code from GitHub
+RUN git clone https://github.com/misskey-dev/media-proxy.git ./
+
+# Install dependencies
+RUN npm install
+
+# Build the application
+RUN npm run build
+
+# Set up environment variables
+ENV NODE_ENV production
+ENV PORT 3000
+
+# Expose the application on port 3000
+EXPOSE 3000
+
+# Run the application
+CMD [ "node", "dist/index.js" ]
diff --git a/manifests/base/applications/mediaproxy.yaml b/manifests/base/applications/mediaproxy.yaml
@@ -0,0 +1,41 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: media-proxy-deployment
+  namespace: misskey
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: media-proxy
+  template:
+    metadata:
+      labels:
+        app: media-proxy
+    spec:
+      containers:
+        - name: media-proxy
+          image: ghcr.io/AokiApp/Aokey/mediaproxy:latest
+          ports:
+            - containerPort: 3000
+          volumeMounts:
+            - name: media-proxy-config
+              mountPath: /app/config.js
+              subPath: config.js
+      volumes:
+        - name: media-proxy-config
+          configMap:
+            name: media-proxy-configmap
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: media-proxy-service
+  namespace: misskey
+spec:
+  selector:
+    app: media-proxy
+  ports:
+    - protocol: TCP
+      port: 3000
+      targetPort: 3000
diff --git a/manifests/base/applications/web.yaml b/manifests/base/applications/web.yaml
@@ -36,10 +36,6 @@ spec:
             claimName: misskey-files-pvc
       securityContext:
         fsGroup: 991
-      hostAliases:
-        - ip: "10.0.1.4" # which is the local IP of the physical machine that runs Ingress Controller
-          hostnames:
-            - "key.aoki.app"
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim

diff --git a/manifests/base/cfg/config.js b/manifests/base/cfg/config.js
@@ -0,0 +1,31 @@
+import { readFileSync } from "node:fs";
+
+const repo = JSON.parse(readFileSync("./package.json", "utf8"));
+
+export default {
+  // UA
+
+  userAgent: `MisskeyMediaProxy/${repo.version}`,
+
+  // プライベートネットワークでも許可するIP CIDR（default.ymlと同じ）
+
+  allowedPrivateNetworks: [],
+
+  // ダウンロードするファイルの最大サイズ (bytes)
+
+  maxSize: 262144000,
+
+  // CORS
+
+  "Access-Control-Allow-Origin": "https://key.aoki.app",
+
+  "Access-Control-Allow-Headers": "*",
+
+  // CSP
+
+  "Content-Security-Policy": `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`,
+
+  // フォワードプロキシ
+
+  // proxy: 'http://127.0.0.1:3128'
+};
diff --git a/manifests/base/kustomization.yaml b/manifests/base/kustomization.yaml
@@ -3,4 +3,5 @@ namespace: misskey
 resources:
   - applications/redis.yaml
   - applications/web.yaml
+  - applications/mediaproxy.yaml
   - networking/ingress.yaml
diff --git a/manifests/base/networking/ingress.yaml b/manifests/base/networking/ingress.yaml
@@ -18,6 +18,13 @@ spec:
                 name: web-service
                 port:
                   number: 3000
+          - pathType: Prefix
+            path: "/proxy"
+            backend:
+              service:
+                name: media-proxy-service
+                port:
+                  number: 3000
 
   tls:
     - hosts:

diff --git a/manifests/overlays/development/cfg/config.js b/manifests/overlays/development/cfg/config.js
@@ -0,0 +1,31 @@
+import { readFileSync } from "node:fs";
+
+const repo = JSON.parse(readFileSync("./package.json", "utf8"));
+
+export default {
+  // UA
+
+  userAgent: `MisskeyMediaProxy/${repo.version}`,
+
+  // プライベートネットワークでも許可するIP CIDR（default.ymlと同じ）
+
+  allowedPrivateNetworks: [],
+
+  // ダウンロードするファイルの最大サイズ (bytes)
+
+  maxSize: 262144000,
+
+  // CORS
+
+  "Access-Control-Allow-Origin": "https://key.aoki.app",
+
+  "Access-Control-Allow-Headers": "*",
+
+  // CSP
+
+  "Content-Security-Policy": `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`,
+
+  // フォワードプロキシ
+
+  // proxy: 'http://127.0.0.1:3128'
+};
diff --git a/manifests/overlays/development/kustomization.yaml b/manifests/overlays/development/kustomization.yaml
@@ -10,7 +10,9 @@ configMapGenerator:
   - name: misskey-web-config
     files:
       - default.yml=cfg/web.yml
+  - name: media-proxy-configmap
+    files:
+      - config.js=cfg/config.js
 
 patches:
-  - path: applications/psql.yaml
   - path: applications/redis.yaml
diff --git a/manifests/overlays/production/cfg/config.js b/manifests/overlays/production/cfg/config.js
@@ -0,0 +1,31 @@
+import { readFileSync } from "node:fs";
+
+const repo = JSON.parse(readFileSync("./package.json", "utf8"));
+
+export default {
+  // UA
+
+  userAgent: `MisskeyMediaProxy/${repo.version}`,
+
+  // プライベートネットワークでも許可するIP CIDR（default.ymlと同じ）
+
+  allowedPrivateNetworks: [],
+
+  // ダウンロードするファイルの最大サイズ (bytes)
+
+  maxSize: 262144000,
+
+  // CORS
+
+  "Access-Control-Allow-Origin": "https://key.aoki.app",
+
+  "Access-Control-Allow-Headers": "*",
+
+  // CSP
+
+  "Content-Security-Policy": `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`,
+
+  // フォワードプロキシ
+
+  // proxy: 'http://127.0.0.1:3128'
+};
diff --git a/manifests/overlays/production/kustomization.yaml b/manifests/overlays/production/kustomization.yaml
@@ -7,6 +7,9 @@ configMapGenerator:
   - name: misskey-web-config
     files:
       - default.yml=cfg/web.yml
+  - name: media-proxy-configmap
+    files:
+      - config.js=cfg/config.js
 
 patches:
   - path: patches.yaml
diff --git a/manifests/overlays/production/patches.yaml b/manifests/overlays/production/patches.yaml
@@ -10,3 +10,7 @@ spec:
       containers:
         - name: web
           image: misskey/misskey:2024.2.0
+      hostAliases:
+        - ip: "10.0.1.4" # which is the local IP of the physical machine that runs Ingress Controller
+          hostnames:
+            - "key.aoki.app"