feat(infra): Gitea self-hosted CI/CD + MongoDB PVC + registry pipeline (#28)

* fix(k8s): expose / without auth so homepage is publicly reachable Adds a second Ingress (api-public) for the exact path / with no forward-auth middleware. Traefik prefers the Exact match for the root, while the Prefix ingress (with auth) still protects all other routes. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: homepage renders correctly at / for unauthenticated visitors Two fixes: 1. Added parseStandalone() helper — parseTmpl() roots on "" but ParseFS() stores standalone (no {{define}}) files under their base filename, so Execute() ran the empty root and returned Content-Length: 0. 2. Added router.priority: 100 annotation to api-public ingress so Traefik picks the Exact / rule over the Prefix / rule (Traefik ranks by rule string length by default, which made PathPrefix beat Path). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(k8s): remove forward-auth middleware from finance ingress The app now handles its own auth at /auth/login — Traefik no longer needs to forward-auth requests, which was causing redirects to auth.homelab.local instead of finance.homelab.local. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * feat(auth): harden authentication for cloud deployment 1. Secure cookie flag — set when BASE_URL starts with https:// 2. SameSite=Strict on session cookie (was Lax) 3. Rate limiter — per-IP, 10 failures → 15-min lockout, auto-cleanup goroutine 4. Session rotation on login — old session deleted before issuing new one (prevents session fixation attacks) 5. bcrypt cost 12 (was DefaultCost/10, OWASP minimum for cloud) 6. Security headers middleware on all responses: X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, Content-Security-Policy, HSTS (when HTTPS) 7. Structured audit logging — login success/failure/lockout with IP + email 8. Google OAuth state cookie gets Secure flag too Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * feat(infra): Gitea self-hosted CI/CD + MongoDB PVC + registry pipeline - Add Gitea Helm deployment (git hosting, container registry, Gitea Actions) - Add act runner with DinD sidecar for Docker builds in-cluster - Add RBAC so act runner can kubectl-deploy to finance namespace - Fix MongoDB StatefulSet: add volumeClaimTemplates (data was lost on restart) - Configure k3d containerd to mirror git.homelab.local → Gitea NodePort 30002 - Add .gitea/workflows/finance-api.yml: test → build/push → rolling deploy - Update finance-api deployment: Gitea registry image, imagePullPolicy Always - Extract finance-api secrets (SESSION_SECRET, Google OAuth) into Terraform - Add variables.tf for Gitea admin password and runner token All changes testable on local k3d before the VPS exists. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Gonçalo Rodrigues <guga@Goncalos-MacBook-Pro.local> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-15 21:45:34 +01:00 · 2026-06-15 21:45:34 +01:00 · 05dd725579
commit 05dd725579
parent cedc0c2192
10 changed files with 499 additions and 5 deletions
--- a/.gitea/workflows/finance-api.yml
+++ b/.gitea/workflows/finance-api.yml
@ -0,0 +1,95 @@
+name: Finance API
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "apps/finance/**"
+      - "pkg/**"
+      - "go.mod"
+      - "go.sum"
+  pull_request:
+    paths:
+      - "apps/finance/**"
+      - "pkg/**"
+
+env:
+  # Internal Gitea service — reachable from within the cluster (pipeline steps via DinD)
+  GITEA_INTERNAL: gitea-http.gitea.svc.cluster.local:3000
+  # Public registry hostname — used in k8s image references (containerd mirrors to NodePort 30002)
+  REGISTRY: git.homelab.local
+  IMAGE: git.homelab.local/admin/finance-api
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    container:
+      image: golang:1.25
+    steps:
+      - uses: actions/checkout@v4
+      - name: Cache Go modules
+        uses: actions/cache@v4
+        with:
+          path: /go/pkg/mod
+          key: go-${{ hashFiles('go.sum') }}
+      - name: Test
+        run: go test ./apps/finance/... ./pkg/...
+
+  build-push:
+    needs: test
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/main'
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Login to Gitea registry
+        run: |
+          echo "${{ secrets.GITEA_ADMIN_PASSWORD }}" | \
+            docker login ${{ env.GITEA_INTERNAL }} -u admin --password-stdin
+
+      - name: Build and push
+        run: |
+          SHA=${{ github.sha }}
+          # Build image — tag with both sha and latest
+          docker build \
+            -t ${{ env.GITEA_INTERNAL }}/admin/finance-api:${SHA} \
+            -t ${{ env.GITEA_INTERNAL }}/admin/finance-api:latest \
+            -f apps/finance/services/api/Dockerfile \
+            .
+          docker push ${{ env.GITEA_INTERNAL }}/admin/finance-api:${SHA}
+          docker push ${{ env.GITEA_INTERNAL }}/admin/finance-api:latest
+
+  deploy:
+    needs: build-push
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/main'
+    steps:
+      - name: Install kubectl
+        run: |
+          curl -LO "https://dl.k8s.io/release/v1.31.0/bin/linux/amd64/kubectl"
+          chmod +x kubectl && mv kubectl /usr/local/bin/
+
+      # The runner pod has a ServiceAccount with deploy permissions.
+      # Mount its token via the act runner valid_volumes config.
+      - name: Deploy to cluster
+        run: |
+          SHA=${{ github.sha }}
+          TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+          CA=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+          K8S=https://kubernetes.default.svc
+
+          kubectl \
+            --server=$K8S \
+            --token=$TOKEN \
+            --certificate-authority=$CA \
+            set image deployment/api \
+              api=${{ env.IMAGE }}:${SHA} \
+            -n finance
+
+          kubectl \
+            --server=$K8S \
+            --token=$TOKEN \
+            --certificate-authority=$CA \
+            rollout status deployment/api \
+            -n finance \
+            --timeout=120s
--- a/apps/finance/services/api/k8s/deployment.yaml
+++ b/apps/finance/services/api/k8s/deployment.yaml
@ -15,10 +15,12 @@ spec:
      labels:
        app: api
    spec:
+      imagePullSecrets:
+        - name: gitea-registry
      containers:
        - name: api
-          image: homelab/api:latest
-          imagePullPolicy: IfNotPresent
+          image: git.homelab.local/admin/finance-api:latest
+          imagePullPolicy: Always
          ports:
            - name: http
              containerPort: 8080
@ -26,12 +28,17 @@ spec:
            - name: PORT
              value: "8080"
            - name: LOG_LEVEL
-              value: "debug"
+              value: "info"
            - name: OTEL_EXPORTER_OTLP_ENDPOINT
              value: "jaeger.monitoring.svc:4317"
+            - name: BASE_URL
+              value: "https://finance.homelab.local"
          envFrom:
            - secretRef:
                name: mongodb-shared-config
+            - secretRef:
+                name: finance-api-secrets
+                optional: true
          livenessProbe:
            httpGet:
              path: /healthz
--- a/infrastructure/Makefile/service.mk
+++ b/infrastructure/Makefile/service.mk
@ -15,7 +15,8 @@ _rel_path     := $(patsubst $(_abs_root)/%,%,$(CURDIR))
 NAMESPACE     ?= $(word 2,$(subst /, ,$(_rel_path)))

 IMAGE_TAG     ?= latest
-IMAGE         ?= homelab/$(SERVICE_NAME):$(IMAGE_TAG)
+REGISTRY      ?= git.homelab.local/admin
+IMAGE         ?= $(REGISTRY)/$(SERVICE_NAME):$(IMAGE_TAG)
 CLUSTER_NAME  ?= homelab

 _is_node       := $(shell [ -f $(SERVICE_DIR)/package.json ] && echo yes)
--- a/infrastructure/k3d/config.yaml
+++ b/infrastructure/k3d/config.yaml
@ -18,6 +18,21 @@ ports:
    nodeFilters:
      - loadbalancer

+# Registry mirror: k3s containerd pulls "git.homelab.local/..." images by redirecting
+# to the Gitea NodePort (30002) on localhost inside the k3d node container.
+# This is set up once at cluster creation — changing it requires recreating the cluster:
+#   k3d cluster delete homelab && k3d cluster create --config infrastructure/k3d/config.yaml
+registries:
+  config: |
+    mirrors:
+      "git.homelab.local":
+        endpoint:
+          - "http://localhost:30002"
+    configs:
+      "localhost:30002":
+        tls:
+          insecure_skip_verify: true
+
 options:
  k3s:
    extraArgs:
--- a/infrastructure/terraform/act-runner.tf
+++ b/infrastructure/terraform/act-runner.tf
@ -0,0 +1,214 @@
+resource "kubernetes_service_account" "act_runner" {
+  metadata {
+    name      = "act-runner"
+    namespace = kubernetes_namespace.domains["gitea"].metadata[0].name
+  }
+}
+
+resource "kubernetes_cluster_role" "act_runner" {
+  metadata {
+    name = "act-runner"
+  }
+  # Allow deploying to finance namespace
+  rule {
+    api_groups = ["apps"]
+    resources  = ["deployments"]
+    verbs      = ["get", "list", "patch", "update"]
+  }
+  rule {
+    api_groups = [""]
+    resources  = ["pods", "pods/log"]
+    verbs      = ["get", "list"]
+  }
+  # Allow creating Kaniko build jobs in gitea namespace
+  rule {
+    api_groups = ["batch"]
+    resources  = ["jobs"]
+    verbs      = ["create", "get", "list", "watch", "delete"]
+  }
+}
+
+resource "kubernetes_cluster_role_binding" "act_runner" {
+  metadata {
+    name = "act-runner"
+  }
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = kubernetes_cluster_role.act_runner.metadata[0].name
+  }
+  subject {
+    kind      = "ServiceAccount"
+    name      = kubernetes_service_account.act_runner.metadata[0].name
+    namespace = kubernetes_namespace.domains["gitea"].metadata[0].name
+  }
+}
+
+# Populated after initial Gitea deploy:
+#   1. Open http://git.homelab.local → Admin Area → Runners → Create Runner
+#   2. Copy the token
+#   3. terraform apply -var gitea_runner_token=<token>
+resource "kubernetes_secret" "gitea_runner_token" {
+  metadata {
+    name      = "gitea-runner-token"
+    namespace = kubernetes_namespace.domains["gitea"].metadata[0].name
+  }
+  data = {
+    token = var.gitea_runner_token
+  }
+}
+
+# ConfigMap for act runner config (host executor mode — steps run directly in runner container)
+resource "kubernetes_config_map" "act_runner" {
+  metadata {
+    name      = "act-runner-config"
+    namespace = kubernetes_namespace.domains["gitea"].metadata[0].name
+  }
+  data = {
+    "config.yaml" = yamlencode({
+      log = { level = "info" }
+      runner = {
+        capacity           = 2
+        fetch_timeout      = "5s"
+        fetch_interval     = "2s"
+        report_interval    = "1s"
+        envs               = {}
+      }
+      cache = { enabled = false }
+      container = {
+        network         = "host"
+        # Allow pipeline steps to mount the SA token for kubectl
+        valid_volumes = [
+          "/var/run/secrets/kubernetes.io/serviceaccount",
+        ]
+        docker_host = "tcp://localhost:2375"
+      }
+    })
+  }
+}
+
+resource "kubernetes_deployment" "act_runner" {
+  depends_on = [helm_release.gitea, kubernetes_secret.gitea_runner_token]
+
+  metadata {
+    name      = "act-runner"
+    namespace = kubernetes_namespace.domains["gitea"].metadata[0].name
+    labels    = { app = "act-runner" }
+  }
+
+  spec {
+    replicas = 1
+    selector {
+      match_labels = { app = "act-runner" }
+    }
+    template {
+      metadata {
+        labels = { app = "act-runner" }
+      }
+      spec {
+        service_account_name = kubernetes_service_account.act_runner.metadata[0].name
+
+        # act runner — runs steps using Docker (provided by dind sidecar)
+        container {
+          name  = "runner"
+          image = "gitea/act_runner:latest"
+
+          command = ["/bin/sh", "-c"]
+          args = [<<-EOT
+            set -e
+            # Register if not yet registered
+            if [ ! -f /data/.runner ]; then
+              act_runner register \
+                --no-interactive \
+                --instance http://gitea-http.gitea.svc.cluster.local:3000 \
+                --token "$(cat /etc/runner-token/token)" \
+                --name "k3d-runner-$(hostname)" \
+                --labels ubuntu-latest
+            fi
+            exec act_runner daemon --config /etc/act-runner/config.yaml
+          EOT
+          ]
+
+          env {
+            name  = "DOCKER_HOST"
+            value = "tcp://localhost:2375"
+          }
+          # Make the runner's KUBERNETES_SERVICE env accessible to pipeline steps
+          env {
+            name = "KUBERNETES_SERVICE_HOST"
+            value_from {
+              field_ref { field_path = "status.hostIP" }
+            }
+          }
+
+          volume_mount {
+            name       = "runner-data"
+            mount_path = "/data"
+          }
+          volume_mount {
+            name       = "runner-config"
+            mount_path = "/etc/act-runner"
+          }
+          volume_mount {
+            name       = "runner-token"
+            mount_path = "/etc/runner-token"
+            read_only  = true
+          }
+
+          resources {
+            requests = { cpu = "100m", memory = "128Mi" }
+            limits   = { cpu = "500m", memory = "512Mi" }
+          }
+        }
+
+        # Docker-in-Docker: provides a Docker daemon for the pipeline steps
+        container {
+          name  = "dind"
+          image = "docker:27-dind"
+
+          security_context {
+            privileged = true
+          }
+          args = [
+            "--insecure-registry=gitea-http.gitea.svc.cluster.local:3000",
+          ]
+          env {
+            name  = "DOCKER_TLS_CERTDIR"
+            value = ""
+          }
+
+          volume_mount {
+            name       = "docker-storage"
+            mount_path = "/var/lib/docker"
+          }
+
+          resources {
+            requests = { cpu = "200m", memory = "256Mi" }
+            limits   = { cpu = "1", memory = "1Gi" }
+          }
+        }
+
+        volume {
+          name = "runner-data"
+          empty_dir {}
+        }
+        volume {
+          name = "docker-storage"
+          empty_dir {}
+        }
+        volume {
+          name = "runner-config"
+          config_map {
+            name = kubernetes_config_map.act_runner.metadata[0].name
+          }
+        }
+        volume {
+          name = "runner-token"
+          secret {
+            secret_name = kubernetes_secret.gitea_runner_token.metadata[0].name
+          }
+        }
+      }
+    }
+  }
+}
--- a/infrastructure/terraform/finance.tf
+++ b/infrastructure/terraform/finance.tf
@ -0,0 +1,34 @@
+# SESSION_SECRET must be a random 32+ byte hex string.
+# Set it via: TF_VAR_finance_session_secret=<value> terraform apply
+variable "finance_session_secret" {
+  description = "HMAC secret for finance-api session cookies (32+ random bytes)"
+  type        = string
+  default     = "dev-secret-change-in-production-32x"
+  sensitive   = true
+}
+
+variable "finance_google_client_id" {
+  description = "Google OAuth client ID for finance-api (optional)"
+  type        = string
+  default     = ""
+  sensitive   = false
+}
+
+variable "finance_google_client_secret" {
+  description = "Google OAuth client secret for finance-api (optional)"
+  type        = string
+  default     = ""
+  sensitive   = true
+}
+
+resource "kubernetes_secret" "finance_api" {
+  metadata {
+    name      = "finance-api-secrets"
+    namespace = kubernetes_namespace.domains["finance"].metadata[0].name
+  }
+  data = {
+    SESSION_SECRET        = var.finance_session_secret
+    GOOGLE_CLIENT_ID      = var.finance_google_client_id
+    GOOGLE_CLIENT_SECRET  = var.finance_google_client_secret
+  }
+}
--- a/infrastructure/terraform/gitea.tf
+++ b/infrastructure/terraform/gitea.tf
@ -0,0 +1,95 @@
+resource "kubernetes_secret" "gitea_admin" {
+  metadata {
+    name      = "gitea-admin"
+    namespace = kubernetes_namespace.domains["gitea"].metadata[0].name
+  }
+  data = {
+    username = "admin"
+    password = var.gitea_admin_password
+    email    = "admin@homelab.local"
+  }
+}
+
+resource "helm_release" "gitea" {
+  name       = "gitea"
+  namespace  = kubernetes_namespace.domains["gitea"].metadata[0].name
+  repository = "https://dl.gitea.com/charts/"
+  chart      = "gitea"
+  version    = "~> 10.0"
+  atomic     = true
+  timeout    = 300
+
+  values = [yamlencode({
+    gitea = {
+      admin = {
+        existingSecret = kubernetes_secret.gitea_admin.metadata[0].name
+      }
+      config = {
+        APP_NAME = "Homelab Git"
+        server = {
+          DOMAIN     = "git.homelab.local"
+          ROOT_URL   = "http://git.homelab.local"
+          SSH_DOMAIN = "localhost"
+          SSH_PORT   = 30001
+        }
+        packages = { ENABLED = "true" }
+        service  = { DISABLE_REGISTRATION = "true" }
+        log      = { LEVEL = "Warn" }
+      }
+    }
+
+    ingress = {
+      enabled   = true
+      className = "traefik"
+      hosts = [{
+        host  = "git.homelab.local"
+        paths = [{ path = "/", pathType = "Prefix" }]
+      }]
+    }
+
+    # NodePort 30002: used by k3d containerd registry mirror (see k3d/config.yaml)
+    service = {
+      http = {
+        type     = "NodePort"
+        port     = 3000
+        nodePort = 30002
+      }
+      ssh = {
+        type     = "NodePort"
+        port     = 22
+        nodePort = 30001
+      }
+    }
+
+    persistence = {
+      enabled      = true
+      size         = "10Gi"
+      storageClass = "local-path"
+    }
+
+    resources = {
+      requests = { cpu = "100m", memory = "256Mi" }
+      limits   = { cpu = "500m", memory = "512Mi" }
+    }
+  })]
+}
+
+# imagePullSecret for finance namespace — allows k8s to pull images from Gitea registry.
+# Containerd mirrors "git.homelab.local" to localhost:30002 (see k3d/config.yaml) and
+# forwards these credentials to authenticate against the Gitea NodePort.
+resource "kubernetes_secret" "gitea_registry_finance" {
+  metadata {
+    name      = "gitea-registry"
+    namespace = kubernetes_namespace.domains["finance"].metadata[0].name
+  }
+  type = "kubernetes.io/dockerconfigjson"
+  data = {
+    ".dockerconfigjson" = jsonencode({
+      auths = {
+        "git.homelab.local" = {
+          auth = base64encode("admin:${var.gitea_admin_password}")
+        }
+      }
+    })
+  }
+}
--- a/infrastructure/terraform/mongodb.tf
+++ b/infrastructure/terraform/mongodb.tf
@ -96,6 +96,11 @@ resource "kubernetes_stateful_set" "mongodb" {
            value = "homelab"
          }

+          volume_mount {
+            name       = "mongodb-data"
+            mount_path = "/data/db"
+          }
+
          port {
            container_port = 27017
          }
@ -113,5 +118,20 @@ resource "kubernetes_stateful_set" "mongodb" {
        }
      }
    }
+
+    volume_claim_template {
+      metadata {
+        name = "mongodb-data"
+      }
+      spec {
+        access_modes       = ["ReadWriteOnce"]
+        storage_class_name = "local-path"
+        resources {
+          requests = {
+            storage = "5Gi"
+          }
+        }
+      }
+    }
  }
 }
--- a/infrastructure/terraform/namespaces.tf
+++ b/infrastructure/terraform/namespaces.tf
@ -1,5 +1,5 @@
 locals {
-  namespaces = ["auth", "home", "finance", "test", "monitoring", "infrastructure"]
+  namespaces = ["auth", "home", "finance", "test", "monitoring", "infrastructure", "gitea"]
 }

 resource "kubernetes_namespace" "domains" {
--- a/infrastructure/terraform/variables.tf
+++ b/infrastructure/terraform/variables.tf
@ -0,0 +1,13 @@
+variable "gitea_admin_password" {
+  description = "Gitea admin password — set TF_VAR_gitea_admin_password or override in terraform.tfvars"
+  type        = string
+  default     = "gitea-dev-changeme"
+  sensitive   = true
+}
+
+variable "gitea_runner_token" {
+  description = "Gitea runner registration token — obtain from Gitea UI: Admin Area → Runners → Create Runner, then set TF_VAR_gitea_runner_token"
+  type        = string
+  default     = ""
+  sensitive   = true
+}