apiVersion: v1
kind: Secret
metadata:
  name: digitalocean-dns
  namespace: cert-manager
data:
  access-token: {{ .Values.digitalocean.access }}
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt
spec:
  acme:
    email: ava@sunnypup.io
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: cert-issuer-account-key
    solvers:
    - dns01:
        digitalocean:
          tokenSecretRef:
            name: digitalocean-dns
            key: access-token
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: sunnypup-certs
spec:
  secretName: sunnypup-certs
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
  dnsNames:
  - cloud.sunnypup.io
  - office.sunnypup.io
  - echo.sunnypup.io
  - hephaestus.sunnypup.io
  - mimir.sunnypup.io
  - annwn.sunnypup.io
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: smsm-certs
spec:
  secretName: smsm-certs
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
  dnsNames:
  - stmatthewsanmateo.org
---
apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
  name: church-site
  labels:
    acme.cert-manager.io/http01-solver: "true"
spec:
  host: stmatthewsanmateo.org
  tls:
    cert-manager:
      cluster-issuer: letsencrypt
    secret: smsm-certs
    redirect:
      enable: true
  upstreams:
  - name: wordpress
    service: wordpress
    port: 80
  routes:
  - path: /
    action:
      pass: wordpress
---
apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
  name: observability
  labels:
    acme.cert-manager.io/http01-solver: "true"
spec:
  host: mimir.sunnypup.io
  tls:
    cert-manager:
      cluster-issuer: letsencrypt
    secret: sunnypup-certs
    redirect:
      enable: true
  upstreams:
    - name: observability
      service: observability
      port: 3000
  routes:
    - path: /
      action:
        pass: observability
---
apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
  name: forge
  labels:
    acme.cert-manager.io/http01-solver: "true"
spec:
  host: hephaestus.sunnypup.io
  tls:
    cert-manager:
      cluster-issuer: letsencrypt
    secret: sunnypup-certs
    redirect:
      enable: true
  upstreams:
    - name: forge
      service: forge
      port: 3000
      client-max-body-size: 1G
      read-timeout: 120s
  routes:
    - path: /
      action:
        pass: forge
---
apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
  name: collabora
  labels: 
    acme.cert-manager.io/http01-solver: "true"
spec:
  host: office.sunnypup.io
  tls:
    cert-manager:
      cluster-issuer: letsencrypt
    secret: sunnypup-certs
    redirect:
      enable: true
  upstreams:
  - name: collabora
    service: collabora-collabora-online
    port: 9980
    client-max-body-size: 1G
  routes:
  - path: /browser
    action:
      pass: collabora
  - path: /hosting/discovery
    action:
      pass: collabora
  - path: /hosting/capabilities
    action:
      pass: collabora
  - path: /cool/adminws
    action:
      proxy:
        upstream: collabora
        requestHeaders:
          pass: true
          set:
            - name: Connection 
              value: "Upgrade"
            - name: Upgrade
              value: "${http_upgrade}"
  - path: ~ ^/cool/(.*)/ws$
    action:
      proxy:
        upstream: collabora
        requestHeaders:
          pass: true
          set:
            - name: Connection 
              value: "Upgrade"
            - name: Upgrade
              value: "${http_upgrade}"
  - path: /cool
    action:
      pass: collabora
---
apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
  name: homeassistant
  labels: 
    acme.cert-manager.io/http01-solver: "true"
spec:
  host: annwn.sunnypup.io
  tls:
    cert-manager:
      cluster-issuer: letsencrypt
    secret: sunnypup-certs
    redirect:
      enable: true
  upstreams:
  - name: homeassistant
    service: homeassistant
    port: 8123
  routes:
  - path: /
    location-snippets: |
      proxy_buffering off;
      proxy_redirect http:// https://;
    action:
      proxy:
        upstream: homeassistant
        requestHeaders:
          pass: true
---
apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
  name: echo
  labels: 
    acme.cert-manager.io/http01-solver: "true"
spec:
  host: echo.sunnypup.io
  tls:
    cert-manager:
      cluster-issuer: letsencrypt
    secret: sunnypup-certs
  upstreams:
  - name: echo
    service: echo
    port: 8080
  routes:
  - path: /
    action:
      pass: echo
---
apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
  name: nextcloud
  labels: 
    acme.cert-manager.io/http01-solver: "true"
spec:
  host: cloud.sunnypup.io
  tls:
    cert-manager:
      cluster-issuer: letsencrypt
    secret: sunnypup-certs
    redirect:
      enable: true
  upstreams:
  - name: nextcloud
    service: nextcloud
    port: 80
    client-max-body-size: 4g
  routes:
  - path: /
    action:
      pass: nextcloud
---
apiVersion: k8s.nginx.org/v1
kind: TransportServer
metadata:
  name: forge-ssh-passthrough
spec:
  listener:
    name: forge-ssh
    protocol: TCP
  upstreams:
    - name: forge
      service: forge
      port: 22222
  action:
    pass: forge
---
apiVersion: k8s.nginx.org/v1
kind: TransportServer
metadata:
  name: matter-passthrough
spec:
  listener:
    name: matter-api
    protocol: TCP
  upstreams:
    - name: matter
      service: matter
      port: 5580
  action:
    pass: matter