The k8s/*.yaml glob in each skaffold.yaml picks up servicemonitor.yaml
and fails when monitoring is disabled (CRD not installed). Moving them
to k8s/monitoring/ keeps the config but excludes them from the default
deploy. Apply manually when enable_monitoring=true.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds Traefik Helm release (kube-system) with ACME HTTP-01 challenge
configured for Let's Encrypt, replacing the k3s-disabled bundled Traefik.
Migrates all hostnames from *.homelab.local to *.gugagr.xyz and upgrades
all ingresses to HTTPS with certresolver=letsencrypt annotations.
Adds var.domain (default homelab.local) to Terraform so the domain is
a single config point for monitoring and Gitea ingresses.
Gateway reads DOMAIN env var at runtime — falls back to homelab.local
so local k3d dev continues to work without changes.
Co-authored-by: Gonçalo Rodrigues <guga@Goncalos-MacBook-Pro.local>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Without the leading dot, the auth_token cookie was only sent to the
exact host homelab.local — not to finance.homelab.local, auth.homelab.local,
etc. — so the forward-auth check failed on any subdomain after login.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Root skaffold.yaml composes all services; local profile auto-activates
on k3d-homelab context (push: false, k3d image import); ci profile
pushes to registry with git-commit tags
- Per-service skaffold.yaml for per-service dev (run from service dir)
- Add finance-api skaffold.yaml (was missing)
- Deployment images use bare name (homelab/<svc>) — Skaffold substitutes
the correct tagged image; no registry prefix needed for local dev
- Add namespace: auth to all auth service manifests
- Remove skaffold.yaml from .gitignore
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
auth/gateway, auth/users, and test/example-service were referencing
images without a registry prefix, causing k8s to fall back to Docker Hub
(which doesn't have these images).
Also generalises the gitea-registry imagePullSecret to all app namespaces
(auth, finance, home, test) via a for_each in Terraform.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Removes all ghcr.io and registry dependencies. Workflows now build
images locally, import them into k3d, and deploy with kubectl set image
— all on the self-hosted runner which already has Docker and kubectl.
Also removes the github Terraform provider and ci.tf since no registry
pull secrets or GitHub Actions secrets are needed.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Three path-filtered workflows (finance-api, auth-users, auth-gateway)
each build, push to ghcr.io, and rollout to k3s on push to main.
Deployment manifests updated from local image refs to ghcr.io with
imagePullSecrets referencing a ghcr-credentials k8s secret.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
