kivikakk.ee

1 result — x

jackalgirls & CUE

Today it was finally time to write a policy file for one of my Anubis instances. I use Timoni as a fairly thin wrapper over CUE to write templates for my own k8s deployments, and I found it really shone in this particular instance. I’ll just tl;dr and show the code; here’s an excerpt from my blog engine’s bundle.cue, which is the “entrypoint” for compiling its manifests:

anubis: {

  secretName: "anubis-20250816-071240"

  policy: permitPaths: [{

    name:       "permit-atom-xml"

    path_regex: "^/atom\\.xml$"

  }, {

    name:       "permit-feed-xml"

    path_regex: "^/feed\\.xml$"

  }]

}

I’m aiming to expose just a minimum of configurability first. Here’s how the schema side of that is defined in config.cue:

anubis?: {

  // Needs to already exist in the target namespace. Should have key

  // "ED25519_PRIVATE_KEY_HEX".

  secretName: string



  policy?: {

    permitPaths: *[] | [... close({

      name:       string

      path_regex: string

    })]

  }

}

I grabbed the default root bot policy file from https://github.com/TecharoHQ/anubis/blob/main/data/botPolicies.yaml, and converted it to CUE with cue import botPolicies.yaml. Then we put it in the templates package, add a way to inject our config, and use the config to expand upon the defaults:

package templates



#AnubisBotPolicies: {

  #config: #Config



  //# Anubis has the ability to let you import snippets of configuration into the main

  //# configuration file. This allows you to break up your config into smaller parts

  //# that get logically assembled into one big file.



// ...



  }, if #config.kv.anubis.policy.permitPaths != _|_ for setting in #config.kv.anubis.policy.permitPaths {

    name:       setting.name

    path_regex: setting.path_regex

    action:     "ALLOW"

  }, {



// ...

Finally, the bit I really like: creating the ConfigMap (which gets mounted as a volume) with the policy YAML:

#AnubisConfigMap: timoniv1.#ImmutableConfig & {

	Config=#config: #Config

	#Kind:          timoniv1.#ConfigMapKind

	#Meta:          #config.metadata

	#Suffix:        "-anubis-env"



	#Data: {

		"policy.yml": yaml.Marshal(#AnubisBotPolicies & {#config: Config})

	}

}

Note the careful lack of hand-written YAML at any stage! 💛🤍💜🖤

the Anubis character, by CELPHASE