.cursor/rules/zero-trust-ingress-template.yaml

# Zero Trust Ingress Template
# Use this template for all new applications deployed via Cloudflare tunnels

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: app-ingress
  namespace: app-namespace
  annotations:
    # Basic NGINX Configuration only - no cert-manager or external-dns
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
    
    # Optional: Extended timeouts for long-running requests
    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
    
    # Optional: ActivityPub rate limiting for fediverse applications
    nginx.ingress.kubernetes.io/server-snippet: |
      limit_req_zone $binary_remote_addr zone=app_inbox:100m rate=10r/s;
    nginx.ingress.kubernetes.io/configuration-snippet: |
      location ~* ^/(inbox|users/.*/inbox) {
        limit_req zone=app_inbox burst=300;
      }

spec:
  ingressClassName: nginx
  tls: []  # Empty - TLS handled by Cloudflare edge
  rules:
  - host: app.keyboardvagabond.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: app-service
            port:
              number: 80

---
# Service template
apiVersion: v1
kind: Service
metadata:
  name: app-service
  namespace: app-namespace
spec:
  selector:
    app: app-name
  ports:
  - name: http
    port: 80
    targetPort: 8080
redaction (#1) Add the redacted source file for demo purposes Reviewed-on: https://source.michaeldileo.org/michael_dileo/Keybard-Vagabond-Demo/pulls/1 Co-authored-by: Michael DiLeo <michael_dileo@proton.me> Co-committed-by: Michael DiLeo <michael_dileo@proton.me> 2025-12-24 13:40:47 +00:00			`# Zero Trust Ingress Template`
			`# Use this template for all new applications deployed via Cloudflare tunnels`

			`apiVersion: networking.k8s.io/v1`
			`kind: Ingress`
			`metadata:`
			`name: app-ingress`
			`namespace: app-namespace`
			`annotations:`
			`# Basic NGINX Configuration only - no cert-manager or external-dns`
			`kubernetes.io/ingress.class: nginx`
			`nginx.ingress.kubernetes.io/backend-protocol: "HTTP"`

			`# Optional: Extended timeouts for long-running requests`
			`nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"`
			`nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"`

			`# Optional: ActivityPub rate limiting for fediverse applications`
			`nginx.ingress.kubernetes.io/server-snippet: \|`
			`limit_req_zone $binary_remote_addr zone=app_inbox:100m rate=10r/s;`
			`nginx.ingress.kubernetes.io/configuration-snippet: \|`
			`location ~* ^/(inbox\|users/.*/inbox) {`
			`limit_req zone=app_inbox burst=300;`
			`}`

			`spec:`
			`ingressClassName: nginx`
			`tls: [] # Empty - TLS handled by Cloudflare edge`
			`rules:`
			`- host: app.keyboardvagabond.com`
			`http:`
			`paths:`
			`- path: /`
			`pathType: Prefix`
			`backend:`
			`service:`
			`name: app-service`
			`port:`
			`number: 80`

			`---`
			`# Service template`
			`apiVersion: v1`
			`kind: Service`
			`metadata:`
			`name: app-service`
			`namespace: app-namespace`
			`spec:`
			`selector:`
			`app: app-name`
			`ports:`
			`- name: http`
			`port: 80`
			`targetPort: 8080`