add onlyoffice, and ingress revision

deploy/infra/ingress.yaml

@@ -5,11 +5,10 @@ metadata:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod
     kubernetes.io/ingress.class: traefik
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure, public-https
 spec:
   entryPoints:
     - websecure
-
+    - public-https
   tls:
     secretName: cloud-limbosolutions-com-tls
     domains:
@@ -34,7 +33,7 @@ spec:
           port: 8080
       middlewares:
         - name: rate-limit
-        - name: security-headers
+        - name: nextcloud-security-headers
 
     # 2) WEBDAV / SYNC CLIENTS (NO SSO)
     - match: Host(`cloud.limbosolutions.com`) && (PathPrefix(`/remote.php/dav`) || PathPrefix(`/remote.php/webdav`) || PathPrefix(`/remote.php/caldav`) || PathPrefix(`/remote.php/carddav`))
@@ -56,7 +55,7 @@ spec:
           # middleware managed by icarus
          - name: authentik-forward-auth
            namespace: kube-system
-         - name: security-headers
+         - name: nextcloud-security-headers
          - name: rate-limit
 
 

deploy/infra/kustomization.yaml

@@ -6,5 +6,7 @@ resources:
   - middlewares.yaml
   - ingress.yaml
   - storage-limbosolutions-com/pv.yaml
+  - ./onlyoffice/ingress.yaml
+  - ./onlyoffice/middlewares.yaml
 generatorOptions:
   disableNameSuffixHash: true

deploy/infra/middlewares.yaml

@@ -25,7 +25,7 @@ spec:
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
-  name: security-headers
+  name: nextcloud-security-headers
 spec:
   headers:
     stsSeconds: 31536000
@@ -38,4 +38,6 @@ spec:
     customResponseHeaders:
       X-Content-Type-Options: "nosniff"
       X-Frame-Options: "DENY"
-      X-XSS-Protection: "1; mode=block"
+      X-XSS-Protection: "1; mode=block"
+
+

deploy/infra/onlyoffice/ingress.yaml

@@ -0,0 +1,24 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: office-limbosolutions-com
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    kubernetes.io/ingress.class: traefik
+spec:
+  entryPoints:
+    - websecure
+    - public-https
+  routes:
+    - match: Host(`office.limbosolutions.com`)
+      kind: Rule
+      services:
+        - name: onlyoffice
+          port: 80
+      middlewares:
+          - name: onlyoffice-headers
+          - name: onlyoffice-security-headers
+          - name: rate-limit
+
+  tls:
+    secretName: office-limbosolutions-com-tls

deploy/infra/onlyoffice/middlewares.yaml

@@ -0,0 +1,31 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: onlyoffice-security-headers
+spec:
+  headers:
+    stsSeconds: 31536000
+    stsIncludeSubdomains: true
+    stsPreload: true
+    browserXssFilter: true
+    contentTypeNosniff: true
+    referrerPolicy: "no-referrer"
+    customResponseHeaders:
+      X-Content-Type-Options: "nosniff"
+      X-XSS-Protection: "1; mode=block"
+      X-Frame-Options: "ALLOW-FROM https://cloud.limbosolutions.com"
+      Content-Security-Policy: "frame-ancestors https://cloud.limbosolutions.com"
+
+
+---
+# required because of only office, iframes being generated with http
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: onlyoffice-headers
+spec:
+  headers:
+    customRequestHeaders:
+      X-Forwarded-Proto: "https"
+      X-Forwarded-Ssl: "on"
+      X-Forwarded-Port: "443"