supabase
diff --git a/‎ansible/files/adminapi.sudoers.conf
+1 b/‎ansible/files/adminapi.sudoers.conf
+1
diff --git a/‎ansible/files/envoy.service
+29 b/‎ansible/files/envoy.service
+29
diff --git a/‎ansible/files/envoy_config/basic_auth.lua
+12 b/‎ansible/files/envoy_config/basic_auth.lua
+12
diff --git a/‎ansible/files/envoy_config/cds.yaml
+51 b/‎ansible/files/envoy_config/cds.yaml
+51
diff --git a/‎ansible/files/envoy_config/envoy.yaml
+23 b/‎ansible/files/envoy_config/envoy.yaml
+23
@@ -1,3 +1,4 @@
+Cmnd_Alias ENVOY = /bin/systemctl start envoy.service, /bin/systemctl stop envoy.service, /bin/systemctl restart envoy.service, /bin/systemctl disable envoy.service, /bin/systemctl enable envoy.service, /bin/systemctl reload envoy.service
 Cmnd_Alias KONG = /bin/systemctl start kong.service, /bin/systemctl stop kong.service, /bin/systemctl restart kong.service, /bin/systemctl disable kong.service, /bin/systemctl enable kong.service, /bin/systemctl reload kong.service
 Cmnd_Alias POSTGREST = /bin/systemctl start postgrest.service, /bin/systemctl stop postgrest.service, /bin/systemctl restart postgrest.service, /bin/systemctl disable postgrest.service, /bin/systemctl enable postgrest.service
 Cmnd_Alias GOTRUE = /bin/systemctl start gotrue.service, /bin/systemctl stop gotrue.service, /bin/systemctl restart gotrue.service, /bin/systemctl disable gotrue.service, /bin/systemctl enable gotrue.service
 
@@ -0,0 +1,29 @@
+[Unit]
+Description=Envoy
+After=postgrest.service gotrue.service adminapi.service
+Wants=postgrest.service gotrue.service adminapi.service
+Conflicts=kong.service
+
+[Service]
+Type=simple
+
+# Need to run via a restarter script to support hot restart when using a process
+# manager, see:
+# https://www.envoyproxy.io/docs/envoy/latest/operations/hot_restarter
+ExecStart=/opt/envoy-hot-restarter.py /opt/start-envoy.sh
+
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStop=/bin/kill -TERM $MAINPID
+User=envoy
+Slice=services.slice
+Restart=always
+RestartSec=3
+LimitNOFILE=100000
+
+# The envoy user is unpriviledged and thus not permited to bind on ports < 1024
+# Via systemd we grant the process a set of priviledges to bind to 80/443
+# See http://archive.vn/36zJU
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target
@@ -0,0 +1,12 @@
+function envoy_on_request(request_handle)
+    local authorization = request_handle:headers():get("authorization")
+
+    if authorization and authorization:find("^[Bb][Aa][Ss][Ii][Cc] " .. request_handle:metadata():get("credentials")) then
+        return
+    end
+
+    request_handle:respond({
+        [":status"] = "401",
+        ["WWW-Authenticate"] = "Basic realm=\"Unknown\""
+    }, "Unauthorized")
+end
@@ -0,0 +1,51 @@
+resources:
+  - '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+    name: admin_api
+    load_assignment:
+      cluster_name: admin_api
+      endpoints:
+        - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: 127.0.0.1
+                    port_value: 8085
+    transport_socket:
+      name: envoy.transport_sockets.tls
+      typed_config:
+        '@type': >-
+          type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+  - '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+    name: gotrue
+    load_assignment:
+      cluster_name: gotrue
+      endpoints:
+        - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: 127.0.0.1
+                    port_value: 9999
+  - '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+    name: postgrest
+    load_assignment:
+      cluster_name: postgrest
+      endpoints:
+        - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: 127.0.0.1
+                    port_value: 3000
+  - '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+    name: postgrest_admin
+    load_assignment:
+      cluster_name: postgrest_admin
+      endpoints:
+        - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: 127.0.0.1
+                    port_value: 3001
+
@@ -0,0 +1,23 @@
+dynamic_resources:
+  cds_config:
+    path_config_source:
+      path: /etc/envoy/cds.yaml
+    resource_api_version: V3
+  lds_config:
+    path_config_source:
+      path: /etc/envoy/lds.yaml
+    resource_api_version: V3
+node:
+  cluster: cluster_0
+  id: node_0
+overload_manager:
+  resource_monitors:
+    - name: envoy.resource_monitors.global_downstream_max_connections
+      typed_config:
+        '@type': >-
+          type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+        max_active_downstream_connections: 30000
+stats_config:
+  stats_matcher:
+    reject_all: true
+
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+Cmnd_Alias ENVOY = /bin/systemctl start envoy.service, /bin/systemctl stop envoy.service, /bin/systemctl restart envoy.service, /bin/systemctl disable envoy.service, /bin/systemctl enable envoy.service, /bin/systemctl reload envoy.service`
`1`	`2`	`Cmnd_Alias KONG = /bin/systemctl start kong.service, /bin/systemctl stop kong.service, /bin/systemctl restart kong.service, /bin/systemctl disable kong.service, /bin/systemctl enable kong.service, /bin/systemctl reload kong.service`
`2`	`3`	`Cmnd_Alias POSTGREST = /bin/systemctl start postgrest.service, /bin/systemctl stop postgrest.service, /bin/systemctl restart postgrest.service, /bin/systemctl disable postgrest.service, /bin/systemctl enable postgrest.service`
`3`	`4`	`Cmnd_Alias GOTRUE = /bin/systemctl start gotrue.service, /bin/systemctl stop gotrue.service, /bin/systemctl restart gotrue.service, /bin/systemctl disable gotrue.service, /bin/systemctl enable gotrue.service`