Created
March 31, 2024 07:51
-
-
Save epk/5ee2455ca526a081420ccbc3cdff18c8 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| layered_runtime: | |
| layers: | |
| - name: static_layer | |
| static_layer: | |
| envoy.resource_monitors.downstream_connections: 2048 | |
| envoy.reloadable_features.http1_use_balsa_parser: true | |
| envoy.reloadable_features.http2_use_oghttp2: true | |
| envoy.reloadable_features.unified_mux: true | |
| envoy.reloadable_features.enable_include_histograms: true | |
| enable_dispatcher_stats: false | |
| admin: | |
| address: | |
| socket_address: | |
| address: ::0 | |
| port_value: 9901 | |
| ipv4_compat: true | |
| access_log: | |
| - name: envoy.access_loggers.file | |
| filter: | |
| extension_filter: | |
| name: envoy.access_loggers.extension_filters.cel | |
| typed_config: | |
| '@type': type.googleapis.com/envoy.extensions.access_loggers.filters.cel.v3.ExpressionFilter | |
| expression: "!request.url_path.contains('/stats/prometheus')" | |
| typed_config: | |
| '@type': type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog | |
| path: /dev/stdout | |
| static_resources: | |
| listeners: | |
| - name: http_listener | |
| address: | |
| socket_address: | |
| address: ::0 | |
| port_value: 80 | |
| ipv4_compat: true | |
| listener_filters: | |
| - name: "envoy.filters.listener.http_inspector" | |
| typed_config: | |
| "@type": type.googleapis.com/envoy.extensions.filters.listener.http_inspector.v3.HttpInspector | |
| filter_chains: | |
| - filters: | |
| - name: envoy.filters.network.http_connection_manager | |
| typed_config: | |
| '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager | |
| access_log: | |
| - name: envoy.access_loggers.file | |
| typed_config: | |
| '@type': type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog | |
| path: /dev/stdout | |
| log_format: | |
| text_format_source: | |
| inline_string: "[%START_TIME%] HTTP %REQ(x-envoy-internal)% %REQ(x-envoy-external-address)% %DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT% \"%REQ(:METHOD)% %REQUESTED_SERVER_NAME% %PROTOCOL%\" %RESPONSE_CODE% %RESPONSE_FLAGS% %RESPONSE_FLAGS_LONG% %RESPONSE_CODE_DETAILS% \"%UPSTREAM_TRANSPORT_FAILURE_REASON%\" %BYTES_RECEIVED% %BYTES_SENT% %RESP(Content-Type)% %RESP(Content-Range)% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% \"%REQ(X-FORWARDED-FOR)%\" \"%REQ(USER-AGENT)%\" \"%REQ(X-REQUEST-ID)%\" \"%REQ(:AUTHORITY)%\" %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% \n" | |
| codec_type: AUTO | |
| stat_prefix: ingress_http | |
| generate_request_id: true | |
| always_set_request_id_in_response: true | |
| preserve_external_request_id: true | |
| use_remote_address: true | |
| http_filters: | |
| - name: envoy.filters.http.router | |
| typed_config: | |
| '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router | |
| route_config: | |
| name: redirect_to_https | |
| virtual_hosts: | |
| - name: redirect_to_https | |
| domains: | |
| - "*" | |
| routes: | |
| - match: | |
| prefix: "/" | |
| redirect: | |
| responseCode: FOUND | |
| https_redirect: true | |
| transport_socket: | |
| name: envoy.transport_sockets.downstream | |
| typed_config: | |
| '@type': type.googleapis.com/envoy.extensions.transport_sockets.tcp_stats.v3.Config | |
| transport_socket: | |
| name: envoy.transport_sockets.raw_buffer | |
| typed_config: | |
| '@type': type.googleapis.com/envoy.extensions.transport_sockets.raw_buffer.v3.RawBuffer | |
| update_period: 30s | |
| - name: https_listener | |
| per_connection_buffer_limit_bytes: 65536 | |
| address: | |
| socket_address: | |
| address: ::0 | |
| port_value: 443 | |
| protocol: TCP | |
| ipv4_compat: true | |
| listener_filters: | |
| - name: envoy.filters.listener.tls_inspector | |
| typed_config: | |
| "@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector | |
| filter_chains: | |
| - transport_socket: | |
| name: envoy.transport_sockets.downstream | |
| typed_config: | |
| '@type': type.googleapis.com/envoy.extensions.transport_sockets.tcp_stats.v3.Config | |
| transport_socket: | |
| name: envoy.transport_sockets.tls | |
| typed_config: | |
| '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext | |
| common_tls_context: | |
| alpn_protocols: | |
| - h2 | |
| tls_certificates: | |
| - certificate_chain: | |
| filename: /etc/letsencrypt/live/adi.run/fullchain.pem | |
| private_key: | |
| filename: /etc/letsencrypt/live/adi.run/privkey.pem | |
| update_period: 30s | |
| filter_chain_match: | |
| transport_protocol: tls | |
| filters: | |
| - name: envoy.filters.network.http_connection_manager | |
| typed_config: | |
| '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager | |
| access_log: | |
| - name: envoy.access_loggers.file | |
| typed_config: | |
| '@type': type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog | |
| path: /dev/stdout | |
| log_format: | |
| text_format_source: | |
| inline_string: "[%START_TIME%] HTTPS %REQ(X-ENVOY-IP-TAGS)% %REQ(x-envoy-internal)% %REQ(x-envoy-external-address)% %DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT% \"%REQ(:METHOD)% %REQUESTED_SERVER_NAME% %PROTOCOL%\" %RESPONSE_CODE% %RESPONSE_FLAGS% %RESPONSE_FLAGS_LONG% %RESPONSE_CODE_DETAILS% \"%UPSTREAM_TRANSPORT_FAILURE_REASON%\" %BYTES_RECEIVED% %BYTES_SENT% %RESP(Content-Type)% %RESP(Content-Range)% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% \"%REQ(X-FORWARDED-FOR)%\" \"%REQ(USER-AGENT)%\" \"%REQ(X-REQUEST-ID)%\" \"%REQ(:AUTHORITY)%\" %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% \n" | |
| codec_type: AUTO | |
| stat_prefix: ingress_https | |
| upgrade_configs: | |
| - upgrade_type: websocket | |
| generate_request_id: true | |
| always_set_request_id_in_response: true | |
| preserve_external_request_id: true | |
| use_remote_address: true | |
| http_filters: &http_filters | |
| - name: envoy.filters.http.ip_tagging | |
| typed_config: | |
| '@type': type.googleapis.com/envoy.extensions.filters.http.ip_tagging.v3.IPTagging | |
| ip_tags: | |
| - ip_tag_name: internal | |
| ip_list: | |
| - address_prefix: 10.0.0.1 | |
| prefix_len: 27 | |
| - address_prefix: 172.16.0.1 | |
| prefix_len: 29 | |
| # tailscale prefixes | |
| - address_prefix: 100.64.0.0 | |
| prefix_len: 10 | |
| - address_prefix: "fd7a:115c:a1e0:ab12::" | |
| prefix_len: 64 | |
| # for docker | |
| - address_prefix: 192.168.0.0 | |
| prefix_len: 16 | |
| - name: envoy.filters.http.lua | |
| typed_config: | |
| '@type': type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua | |
| - name: envoy.filters.http.router | |
| typed_config: | |
| '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router | |
| common_http_protocol_options: | |
| idle_timeout: 600s | |
| http2_protocol_options: | |
| allow_connect: true | |
| initial_connection_window_size: 65536 | |
| initial_stream_window_size: 65536 | |
| http_protocol_options: | |
| accept_http_10: true | |
| route_config: | |
| name: default | |
| response_headers_to_add: &response_headers_to_add | |
| - header: | |
| key: alt-svc | |
| value: h3=":443"; ma=86400 | |
| virtual_hosts: | |
| - name: ping | |
| domains: | |
| - ping.* | |
| - ping.nuc.adi.run | |
| routes: | |
| - match: | |
| prefix: / | |
| route: | |
| cluster: ping | |
| timeout: 1500s # Let it stream | |
| retry_policy: &retry_policy | |
| host_selection_retry_max_attempts: "3" | |
| num_retries: 3 | |
| retry_on: reset,connect-failure,refused-stream,gateway-error,http3-post-connect-failure | |
| - name: plex | |
| domains: | |
| - plex.* | |
| - plex.nuc.adi.run | |
| routes: | |
| - match: | |
| prefix: / | |
| route: | |
| cluster: plex | |
| timeout: 1500s # Let it stream | |
| retry_policy: &retry_policy | |
| host_selection_retry_max_attempts: "3" | |
| num_retries: 3 | |
| retry_on: reset,connect-failure,refused-stream,gateway-error,http3-post-connect-failure | |
| - name: jellyfin | |
| domains: | |
| - jellyfin.* | |
| - jellyfin.nuc.adi.run | |
| routes: | |
| - match: | |
| prefix: / | |
| route: | |
| cluster: jellyfin | |
| timeout: 1500s # Let it stream | |
| retry_policy: *retry_policy | |
| - name: overseerr | |
| domains: | |
| - overseerr.* | |
| - overseerr.nuc.adi.run | |
| routes: | |
| - match: | |
| prefix: / | |
| route: | |
| cluster: overseerr | |
| timeout: 5s | |
| retry_policy: *retry_policy | |
| - name: transmission | |
| domains: | |
| - transmission.* | |
| - transmission.nuc.adi.run | |
| routes: | |
| - match: | |
| prefix: / | |
| route: | |
| cluster: transmission | |
| timeout: 5s | |
| retry_policy: *retry_policy | |
| typed_per_filter_config: &allow_private_access_rbac | |
| envoy.filters.http.lua: | |
| '@type': type.googleapis.com/envoy.extensions.filters.http.lua.v3.LuaPerRoute | |
| source_code: | |
| inline_string: | | |
| function envoy_on_request(request_handle) | |
| local headers = request_handle:headers() | |
| local x_envoy_ip_tags = headers:get("x-envoy-ip-tags") | |
| -- if x-envoy-ip-tags is not set or not equal to "internal" | |
| -- then return 403 | |
| if x_envoy_ip_tags == nil or x_envoy_ip_tags ~= "internal" then | |
| request_handle:respond( | |
| {[":status"] = "403"}, "Access denied\n" | |
| ) | |
| end | |
| end | |
| - name: code | |
| domains: | |
| - code.* | |
| - code.nuc.adi.run | |
| routes: | |
| - match: | |
| prefix: / | |
| route: | |
| cluster: code | |
| timeout: 5s | |
| retry_policy: *retry_policy | |
| typed_per_filter_config: *allow_private_access_rbac | |
| - name: tautulli | |
| domains: | |
| - tautulli.* | |
| - tautulli.nuc.adi.run | |
| routes: | |
| - match: | |
| prefix: / | |
| route: | |
| cluster: tautulli | |
| timeout: 5s | |
| retry_policy: *retry_policy | |
| typed_per_filter_config: *allow_private_access_rbac | |
| - name: radarr | |
| domains: | |
| - radarr.* | |
| - radarr.nuc.adi.run | |
| routes: | |
| - match: | |
| prefix: / | |
| route: | |
| cluster: radarr | |
| timeout: 5s | |
| retry_policy: *retry_policy | |
| typed_per_filter_config: *allow_private_access_rbac | |
| - name: quic_listener | |
| per_connection_buffer_limit_bytes: 65536 | |
| address: | |
| socket_address: | |
| address: ::0 | |
| port_value: 443 | |
| protocol: UDP | |
| ipv4_compat: true | |
| udp_listener_config: | |
| quic_options: {} | |
| downstream_socket_config: | |
| prefer_gro: true | |
| filter_chains: | |
| - transport_socket: | |
| name: envoy.transport_sockets.quic | |
| typed_config: | |
| '@type': type.googleapis.com/envoy.extensions.transport_sockets.quic.v3.QuicDownstreamTransport | |
| downstream_tls_context: | |
| common_tls_context: | |
| tls_certificates: | |
| - certificate_chain: | |
| filename: /etc/letsencrypt/live/adi.run/fullchain.pem | |
| private_key: | |
| filename: /etc/letsencrypt/live/adi.run/privkey.pem | |
| enable_early_data: true | |
| filters: | |
| - name: envoy.filters.network.http_connection_manager | |
| typed_config: | |
| '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager | |
| access_log: | |
| - name: envoy.access_loggers.file | |
| typed_config: | |
| '@type': type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog | |
| path: /dev/stdout | |
| log_format: | |
| text_format_source: | |
| inline_string: "[%START_TIME%] QUIC %REQ(X-ENVOY-IP-TAGS)% %REQ(x-envoy-internal)% %REQ(x-envoy-external-address)% %DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT% \"%REQ(:METHOD)% %REQUESTED_SERVER_NAME% %PROTOCOL%\" %RESPONSE_CODE% %RESPONSE_FLAGS% %RESPONSE_FLAGS_LONG% %RESPONSE_CODE_DETAILS% \"%UPSTREAM_TRANSPORT_FAILURE_REASON%\" %BYTES_RECEIVED% %BYTES_SENT% %RESP(Content-Type)% %RESP(Content-Range)% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% \"%REQ(X-FORWARDED-FOR)%\" \"%REQ(USER-AGENT)%\" \"%REQ(X-REQUEST-ID)%\" \"%REQ(:AUTHORITY)%\" %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% \n" | |
| codec_type: HTTP3 | |
| stat_prefix: ingress_quic | |
| upgrade_configs: | |
| - upgrade_type: websocket | |
| http3_protocol_options: | |
| allow_extended_connect: false | |
| quic_protocol_options: | |
| initial_connection_window_size: 65536 | |
| initial_stream_window_size: 65536 | |
| generate_request_id: true | |
| always_set_request_id_in_response: true | |
| preserve_external_request_id: true | |
| use_remote_address: true | |
| http_filters: *http_filters | |
| common_http_protocol_options: | |
| idle_timeout: 600s | |
| http_protocol_options: | |
| accept_http_10: true | |
| route_config: | |
| name: default | |
| response_headers_to_add: *response_headers_to_add | |
| virtual_hosts: | |
| - name: plex | |
| domains: | |
| - plex.* | |
| - plex.nuc.adi.run | |
| routes: | |
| - match: | |
| prefix: / | |
| route: | |
| cluster: plex | |
| timeout: 1500s # Let it stream | |
| retry_policy: *retry_policy | |
| - name: jellyfin | |
| domains: | |
| - jellyfin.* | |
| - jellyfin.nuc.adi.run | |
| routes: | |
| - match: | |
| prefix: / | |
| route: | |
| cluster: jellyfin | |
| timeout: 1500s # Let it stream | |
| retry_policy: *retry_policy | |
| - name: overseerr | |
| domains: | |
| - overseerr.* | |
| - overseerr.nuc.adi.run | |
| routes: | |
| - match: | |
| prefix: / | |
| route: | |
| cluster: overseerr | |
| timeout: 5s | |
| retry_policy: *retry_policy | |
| - name: transmission | |
| domains: | |
| - transmission.* | |
| - transmission.nuc.adi.run | |
| routes: | |
| - match: | |
| prefix: / | |
| route: | |
| cluster: transmission | |
| timeout: 5s | |
| retry_policy: *retry_policy | |
| typed_per_filter_config: *allow_private_access_rbac | |
| - name: code | |
| domains: | |
| - code.* | |
| - code.nuc.adi.run | |
| routes: | |
| - match: | |
| prefix: / | |
| route: | |
| cluster: code | |
| timeout: 5s | |
| retry_policy: *retry_policy | |
| typed_per_filter_config: *allow_private_access_rbac | |
| - name: tautulli | |
| domains: | |
| - tautulli.* | |
| - tautulli.nuc.adi.run | |
| routes: | |
| - match: | |
| prefix: / | |
| route: | |
| cluster: tautulli | |
| timeout: 5s | |
| retry_policy: *retry_policy | |
| typed_per_filter_config: *allow_private_access_rbac | |
| - name: radarr | |
| domains: | |
| - radarr.* | |
| - radarr.nuc.adi.run | |
| routes: | |
| - match: | |
| prefix: / | |
| route: | |
| cluster: radarr | |
| timeout: 5s | |
| retry_policy: *retry_policy | |
| typed_per_filter_config: *allow_private_access_rbac | |
| clusters: | |
| - name: plex | |
| type: LOGICAL_DNS | |
| lb_policy: ROUND_ROBIN | |
| connect_timeout: 0.050s | |
| load_assignment: | |
| cluster_name: plex | |
| endpoints: | |
| - lb_endpoints: | |
| - endpoint: | |
| address: | |
| socket_address: | |
| address: plex | |
| port_value: 32400 | |
| track_cluster_stats: | |
| timeout_budgets: true | |
| request_response_sizes: true | |
| upstream_connection_options: | |
| tcp_keepalive: {} | |
| per_connection_buffer_limit_bytes: 65536 | |
| circuit_breakers: &circuit_breakers | |
| thresholds: | |
| - max_connections: 1024 | |
| max_pending_requests: 1024 | |
| max_requests: 1024 | |
| max_connection_pools: 100 | |
| retry_budget: {} | |
| track_remaining: true | |
| - name: jellyfin | |
| type: LOGICAL_DNS | |
| lb_policy: ROUND_ROBIN | |
| connect_timeout: 0.050s | |
| load_assignment: | |
| cluster_name: jellyfin | |
| endpoints: | |
| - lb_endpoints: | |
| - endpoint: | |
| address: | |
| socket_address: | |
| address: jellyfin | |
| port_value: 8096 | |
| track_cluster_stats: | |
| timeout_budgets: true | |
| request_response_sizes: true | |
| upstream_connection_options: | |
| tcp_keepalive: {} | |
| per_connection_buffer_limit_bytes: 65536 | |
| circuit_breakers: *circuit_breakers | |
| - name: tautulli | |
| type: LOGICAL_DNS | |
| lb_policy: ROUND_ROBIN | |
| connect_timeout: 0.050s | |
| load_assignment: | |
| cluster_name: tautulli | |
| endpoints: | |
| - lb_endpoints: | |
| - endpoint: | |
| address: | |
| socket_address: | |
| address: tautulli | |
| port_value: 8181 | |
| upstream_connection_options: | |
| tcp_keepalive: {} | |
| per_connection_buffer_limit_bytes: 65536 | |
| circuit_breakers: *circuit_breakers | |
| - name: overseerr | |
| type: LOGICAL_DNS | |
| lb_policy: ROUND_ROBIN | |
| connect_timeout: 0.050s | |
| load_assignment: | |
| cluster_name: overseerr | |
| endpoints: | |
| - lb_endpoints: | |
| - endpoint: | |
| address: | |
| socket_address: | |
| address: overseerr | |
| port_value: 5055 | |
| upstream_connection_options: | |
| tcp_keepalive: {} | |
| per_connection_buffer_limit_bytes: 65536 | |
| circuit_breakers: *circuit_breakers | |
| - name: radarr | |
| type: LOGICAL_DNS | |
| lb_policy: ROUND_ROBIN | |
| connect_timeout: 0.050s | |
| load_assignment: | |
| cluster_name: radarr | |
| endpoints: | |
| - lb_endpoints: | |
| - endpoint: | |
| address: | |
| socket_address: | |
| address: radarr | |
| port_value: 7878 | |
| upstream_connection_options: | |
| tcp_keepalive: {} | |
| per_connection_buffer_limit_bytes: 65536 | |
| circuit_breakers: *circuit_breakers | |
| - name: transmission | |
| type: LOGICAL_DNS | |
| lb_policy: ROUND_ROBIN | |
| connect_timeout: 0.050s | |
| load_assignment: | |
| cluster_name: transmission | |
| endpoints: | |
| - lb_endpoints: | |
| - endpoint: | |
| address: | |
| socket_address: | |
| address: transmission | |
| port_value: 9091 | |
| upstream_connection_options: | |
| tcp_keepalive: {} | |
| per_connection_buffer_limit_bytes: 65536 | |
| circuit_breakers: *circuit_breakers | |
| - name: code | |
| type: LOGICAL_DNS | |
| lb_policy: ROUND_ROBIN | |
| connect_timeout: 0.050s | |
| load_assignment: | |
| cluster_name: code | |
| endpoints: | |
| - lb_endpoints: | |
| - endpoint: | |
| address: | |
| socket_address: | |
| address: code-server | |
| port_value: 8443 | |
| upstream_connection_options: | |
| tcp_keepalive: {} | |
| per_connection_buffer_limit_bytes: 65536 | |
| circuit_breakers: *circuit_breakers | |
| - name: ping | |
| type: LOGICAL_DNS | |
| lb_policy: ROUND_ROBIN | |
| connect_timeout: 0.050s | |
| load_assignment: | |
| cluster_name: ping | |
| endpoints: | |
| - lb_endpoints: | |
| - endpoint: | |
| address: | |
| socket_address: | |
| address: ping | |
| port_value: 8080 | |
| upstream_connection_options: | |
| tcp_keepalive: {} | |
| per_connection_buffer_limit_bytes: 65536 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment