docs: rewrite Kubernetes page (#3928)

2024-03-12 09:31:44 +01:00 · 2024-03-12 09:31:44 +01:00 · 2133b51e78
parent a04b53f4f8
commit 2133b51e78
4 changed files with 778 additions and 460 deletions
--- a/docs/content/assets/css/customizations.css
+++ b/docs/content/assets/css/customizations.css
@ -107,3 +107,37 @@ div.md-content article.md-content__inner a.toclink code {
 .md-nav__item--nested > .md-nav__link {
  font-weight: 700;
 }
+
+/* ============================================================================================================= */
+
+/*
+  TaskList style for a pro/con list. Presently only used for this type of list in the kubernetes docs.
+  Uses a custom icon for the unchecked (con) state: :octicons-x-circle-fill-24:
+  https://github.com/squidfunk/mkdocs-material/discussions/6811#discussioncomment-8700795
+
+  TODO: Can better scope the style under a class name when migrating to block extension syntax:
+  https://github.com/facelessuser/pymdown-extensions/discussions/1973
+*/
+
+:root {
+  --md-tasklist-icon--failed: url('data:image/svg+xml;charset=utf-8,<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M1 12C1 5.925 5.925 1 12 1s11 4.925 11 11-4.925 11-11 11S1 18.075 1 12Zm8.036-4.024a.751.751 0 0 0-1.042.018.751.751 0 0 0-.018 1.042L10.939 12l-2.963 2.963a.749.749 0 0 0 .326 1.275.749.749 0 0 0 .734-.215L12 13.06l2.963 2.964a.75.75 0 0 0 1.061-1.06L13.061 12l2.963-2.964a.749.749 0 0 0-.326-1.275.749.749 0 0 0-.734.215L12 10.939Z"/></svg>');
+}
+
+.md-typeset [type="checkbox"] + .task-list-indicator::before {
+  background-color: rgb(216, 87, 48);
+  -webkit-mask-image: var(--md-tasklist-icon--failed);
+  mask-image: var(--md-tasklist-icon--failed);
+}
+
+/* More suitable shade of green */
+.md-typeset [type=checkbox]:checked+.task-list-indicator:before {
+  background-color: rgb(97, 216, 42);
+}
+
+/* Tiny layout shift */
+[dir=ltr] .md-typeset .task-list-indicator:before {
+  left: -1.6em;
+  top: 1px;
+}
+
+/* ============================================================================================================= */
--- a/docs/content/config/advanced/kubernetes.md
+++ b/docs/content/config/advanced/kubernetes.md
--- a/docs/content/examples/tutorials/mailserver-behind-proxy.md
+++ b/docs/content/examples/tutorials/mailserver-behind-proxy.md
@ -14,6 +14,8 @@ This reduces many of the benefits for why you might use a reverse proxy, but the

 Some deployments may require a service to route traffic (kubernetes) when deploying, in which case the below advice is important to understand well.

+The guide here has also been adapted for [our Kubernetes docs][docs::kubernetes].
+
 ## What can go wrong?

 Without a reverse proxy involved, a service is typically aware of the client IP for a connection.
@ -354,9 +356,8 @@ Software on the receiving end of the connection often supports configuring an IP
    [`postscreen_access_list`][postfix-docs::settings::postscreen_access_list] (_or [`smtpd_client_restrictions`][postfix-docs::settings::smtpd_client_restrictions] with [`check_client_access`][postfix-docs::settings::check_client_access] for ports 587/465_) can both restrict access by IP via a [CIDR lookup table][postfix-docs::config-table::cidr], however the client IP is already rewritten at this point via PROXY protocol.

    Thus those settings cannot be used for restricting access to only trusted proxies, only to the actual clients.
-    
-    A similar setting [`mynetworks`][postfix-docs::settings::mynetworks] / [`PERMIT_DOCKER`][docs::env::permit_docker] manages elevated trust for bypassing security restrictions. While it is intended for trusted clients, it has no relevance to trusting proxies for the same reasons.

+    A similar setting [`mynetworks`][postfix-docs::settings::mynetworks] / [`PERMIT_DOCKER`][docs::env::permit_docker] manages elevated trust for bypassing security restrictions. While it is intended for trusted clients, it has no relevance to trusting proxies for the same reasons.

 ### Monitoring

@ -373,6 +374,8 @@ While PROXY protocol works well with the reverse proxy, you may have some contai

    You should adjust configuration of these monitoring services to monitor for auth failures from those services directly instead, adding an exclusion for that service IP from any DMS logs monitored (_but be mindful of PROXY header forgery risks_).

+[docs::kubernetes]: ../../config/advanced/kubernetes.md#using-the-proxy-protocol
+
 [docs::overrides::dovecot]: ../../config/advanced/override-defaults/dovecot.md
 [docs::overrides::postfix]: ../../config/advanced/override-defaults/postfix.md
 [docs::overrides::user-patches]: ../../config/advanced/override-defaults/user-patches.md
--- a/docs/mkdocs.yml
+++ b/docs/mkdocs.yml
@ -82,6 +82,11 @@ markdown_extensions:
          format: !!python/name:pymdownx.superfences.fence_code_format
  - pymdownx.tabbed:
      alternate_style: true
+      slugify: !!python/object/apply:pymdownx.slugs.slugify
+        kwds:
+          case: lower
+  - pymdownx.tasklist:
+      custom_checkbox: true
  - pymdownx.magiclink
  - pymdownx.inlinehilite
  - pymdownx.tilde