From c21ccad86e33df51c79380a0e6b5a16fef8293fb Mon Sep 17 00:00:00 2001 From: yuki-js Date: Sat, 17 Feb 2024 17:58:31 +0900 Subject: [PATCH] add media proxy --- .github/workflows/build-publish-ghcr.yml | 55 +++++++++++++++++++ images/mediaproxy/Dockerfile | 30 ++++++++++ manifests/base/applications/mediaproxy.yaml | 41 ++++++++++++++ manifests/base/applications/web.yaml | 4 -- manifests/base/cfg/config.js | 31 +++++++++++ manifests/base/kustomization.yaml | 1 + manifests/base/networking/ingress.yaml | 7 +++ manifests/overlays/development/cfg/config.js | 31 +++++++++++ .../overlays/development/kustomization.yaml | 4 +- manifests/overlays/production/cfg/config.js | 31 +++++++++++ .../overlays/production/kustomization.yaml | 3 + manifests/overlays/production/patches.yaml | 4 ++ 12 files changed, 237 insertions(+), 5 deletions(-) create mode 100644 .github/workflows/build-publish-ghcr.yml create mode 100644 images/mediaproxy/Dockerfile create mode 100644 manifests/base/applications/mediaproxy.yaml create mode 100644 manifests/base/cfg/config.js create mode 100644 manifests/overlays/development/cfg/config.js create mode 100644 manifests/overlays/production/cfg/config.js diff --git a/.github/workflows/build-publish-ghcr.yml b/.github/workflows/build-publish-ghcr.yml new file mode 100644 index 0000000..41979e6 --- /dev/null +++ b/.github/workflows/build-publish-ghcr.yml @@ -0,0 +1,55 @@ +name: Push Docker image to GitHub Container Registry +on: + push: + workflow_dispatch: + +jobs: + push_to_registry: + name: build + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + name: + - mediaproxy + permissions: + packages: write + contents: read + steps: + - name: Check out the repo + uses: actions/checkout@v2 + - name: Cache Docker layers + uses: actions/cache@v2 + with: + path: /tmp/.buildx-cache + key: ${{ matrix.name }}-buildx-${{ github.sha }} + restore-keys: | + ${{ matrix.name }}-buildx- + - name: Set up QEMU + uses: docker/setup-qemu-action@master + with: + platforms: arm64 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + - name: Log in to GitHub Docker Registry + uses: docker/login-action@v1 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Build Docker image + uses: docker/build-push-action@v2 + with: + push: true + context: images/${{ matrix.name }} + # platforms: linux/amd64,linux/arm64 + platforms: linux/amd64 + tags: | + ghcr.io/${{ github.repository }}/${{ matrix.name }}:${{ github.sha }} + ghcr.io/${{ github.repository }}/${{ matrix.name }}:latest + cache-from: type=local,src=/tmp/.buildx-cache + cache-to: type=local,dest=/tmp/.buildx-cache-1,mode=max + - name: Move cache + run: | + rm -rf /tmp/.buildx-cache + mv /tmp/.buildx-cache-1 /tmp/.buildx-cache diff --git a/images/mediaproxy/Dockerfile b/images/mediaproxy/Dockerfile new file mode 100644 index 0000000..3d6ed28 --- /dev/null +++ b/images/mediaproxy/Dockerfile @@ -0,0 +1,30 @@ +# Using Node.js version 20 +FROM node:20 + +# Install git +RUN apt-get update && apt-get install -y git + +# make the directory +RUN mkdir -p /usr/src/app + +# Set up the working directory +WORKDIR /usr/src/app + +# Fetch the latest code from GitHub +RUN git clone https://github.com/misskey-dev/media-proxy.git ./ + +# Install dependencies +RUN npm install + +# Build the application +RUN npm run build + +# Set up environment variables +ENV NODE_ENV production +ENV PORT 3000 + +# Expose the application on port 3000 +EXPOSE 3000 + +# Run the application +CMD [ "node", "dist/index.js" ] diff --git a/manifests/base/applications/mediaproxy.yaml b/manifests/base/applications/mediaproxy.yaml new file mode 100644 index 0000000..34ce0eb --- /dev/null +++ b/manifests/base/applications/mediaproxy.yaml @@ -0,0 +1,41 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: media-proxy-deployment + namespace: misskey +spec: + replicas: 2 + selector: + matchLabels: + app: media-proxy + template: + metadata: + labels: + app: media-proxy + spec: + containers: + - name: media-proxy + image: ghcr.io/AokiApp/Aokey/mediaproxy:latest + ports: + - containerPort: 3000 + volumeMounts: + - name: media-proxy-config + mountPath: /app/config.js + subPath: config.js + volumes: + - name: media-proxy-config + configMap: + name: media-proxy-configmap +--- +apiVersion: v1 +kind: Service +metadata: + name: media-proxy-service + namespace: misskey +spec: + selector: + app: media-proxy + ports: + - protocol: TCP + port: 3000 + targetPort: 3000 diff --git a/manifests/base/applications/web.yaml b/manifests/base/applications/web.yaml index 49db3ea..9e45d9c 100644 --- a/manifests/base/applications/web.yaml +++ b/manifests/base/applications/web.yaml @@ -36,10 +36,6 @@ spec: claimName: misskey-files-pvc securityContext: fsGroup: 991 - hostAliases: - - ip: "10.0.1.4" # which is the local IP of the physical machine that runs Ingress Controller - hostnames: - - "key.aoki.app" --- apiVersion: v1 kind: PersistentVolumeClaim diff --git a/manifests/base/cfg/config.js b/manifests/base/cfg/config.js new file mode 100644 index 0000000..bc6f210 --- /dev/null +++ b/manifests/base/cfg/config.js @@ -0,0 +1,31 @@ +import { readFileSync } from "node:fs"; + +const repo = JSON.parse(readFileSync("./package.json", "utf8")); + +export default { + // UA + + userAgent: `MisskeyMediaProxy/${repo.version}`, + + // プライベートネットワークでも許可するIP CIDR(default.ymlと同じ) + + allowedPrivateNetworks: [], + + // ダウンロードするファイルの最大サイズ (bytes) + + maxSize: 262144000, + + // CORS + + "Access-Control-Allow-Origin": "https://key.aoki.app", + + "Access-Control-Allow-Headers": "*", + + // CSP + + "Content-Security-Policy": `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`, + + // フォワードプロキシ + + // proxy: 'http://127.0.0.1:3128' +}; diff --git a/manifests/base/kustomization.yaml b/manifests/base/kustomization.yaml index 4c665af..6fe3f5c 100644 --- a/manifests/base/kustomization.yaml +++ b/manifests/base/kustomization.yaml @@ -3,4 +3,5 @@ namespace: misskey resources: - applications/redis.yaml - applications/web.yaml + - applications/mediaproxy.yaml - networking/ingress.yaml diff --git a/manifests/base/networking/ingress.yaml b/manifests/base/networking/ingress.yaml index 7be85fc..c3ea35b 100644 --- a/manifests/base/networking/ingress.yaml +++ b/manifests/base/networking/ingress.yaml @@ -18,6 +18,13 @@ spec: name: web-service port: number: 3000 + - pathType: Prefix + path: "/proxy" + backend: + service: + name: media-proxy-service + port: + number: 3000 tls: - hosts: diff --git a/manifests/overlays/development/cfg/config.js b/manifests/overlays/development/cfg/config.js new file mode 100644 index 0000000..bc6f210 --- /dev/null +++ b/manifests/overlays/development/cfg/config.js @@ -0,0 +1,31 @@ +import { readFileSync } from "node:fs"; + +const repo = JSON.parse(readFileSync("./package.json", "utf8")); + +export default { + // UA + + userAgent: `MisskeyMediaProxy/${repo.version}`, + + // プライベートネットワークでも許可するIP CIDR(default.ymlと同じ) + + allowedPrivateNetworks: [], + + // ダウンロードするファイルの最大サイズ (bytes) + + maxSize: 262144000, + + // CORS + + "Access-Control-Allow-Origin": "https://key.aoki.app", + + "Access-Control-Allow-Headers": "*", + + // CSP + + "Content-Security-Policy": `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`, + + // フォワードプロキシ + + // proxy: 'http://127.0.0.1:3128' +}; diff --git a/manifests/overlays/development/kustomization.yaml b/manifests/overlays/development/kustomization.yaml index cac01b7..09a748f 100644 --- a/manifests/overlays/development/kustomization.yaml +++ b/manifests/overlays/development/kustomization.yaml @@ -10,7 +10,9 @@ configMapGenerator: - name: misskey-web-config files: - default.yml=cfg/web.yml + - name: media-proxy-configmap + files: + - config.js=cfg/config.js patches: - - path: applications/psql.yaml - path: applications/redis.yaml diff --git a/manifests/overlays/production/cfg/config.js b/manifests/overlays/production/cfg/config.js new file mode 100644 index 0000000..bc6f210 --- /dev/null +++ b/manifests/overlays/production/cfg/config.js @@ -0,0 +1,31 @@ +import { readFileSync } from "node:fs"; + +const repo = JSON.parse(readFileSync("./package.json", "utf8")); + +export default { + // UA + + userAgent: `MisskeyMediaProxy/${repo.version}`, + + // プライベートネットワークでも許可するIP CIDR(default.ymlと同じ) + + allowedPrivateNetworks: [], + + // ダウンロードするファイルの最大サイズ (bytes) + + maxSize: 262144000, + + // CORS + + "Access-Control-Allow-Origin": "https://key.aoki.app", + + "Access-Control-Allow-Headers": "*", + + // CSP + + "Content-Security-Policy": `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`, + + // フォワードプロキシ + + // proxy: 'http://127.0.0.1:3128' +}; diff --git a/manifests/overlays/production/kustomization.yaml b/manifests/overlays/production/kustomization.yaml index cb0bbbf..2a5a6aa 100644 --- a/manifests/overlays/production/kustomization.yaml +++ b/manifests/overlays/production/kustomization.yaml @@ -7,6 +7,9 @@ configMapGenerator: - name: misskey-web-config files: - default.yml=cfg/web.yml + - name: media-proxy-configmap + files: + - config.js=cfg/config.js patches: - path: patches.yaml diff --git a/manifests/overlays/production/patches.yaml b/manifests/overlays/production/patches.yaml index 2bcf9ff..cfa8f92 100644 --- a/manifests/overlays/production/patches.yaml +++ b/manifests/overlays/production/patches.yaml @@ -10,3 +10,7 @@ spec: containers: - name: web image: misskey/misskey:2024.2.0 + hostAliases: + - ip: "10.0.1.4" # which is the local IP of the physical machine that runs Ingress Controller + hostnames: + - "key.aoki.app"