05dd725579
* fix(k8s): expose / without auth so homepage is publicly reachable
Adds a second Ingress (api-public) for the exact path / with no
forward-auth middleware. Traefik prefers the Exact match for the root,
while the Prefix ingress (with auth) still protects all other routes.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: homepage renders correctly at / for unauthenticated visitors
Two fixes:
1. Added parseStandalone() helper — parseTmpl() roots on "" but ParseFS()
stores standalone (no {{define}}) files under their base filename, so
Execute() ran the empty root and returned Content-Length: 0.
2. Added router.priority: 100 annotation to api-public ingress so Traefik
picks the Exact / rule over the Prefix / rule (Traefik ranks by rule
string length by default, which made PathPrefix beat Path).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(k8s): remove forward-auth middleware from finance ingress
The app now handles its own auth at /auth/login — Traefik no longer
needs to forward-auth requests, which was causing redirects to
auth.homelab.local instead of finance.homelab.local.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat(auth): harden authentication for cloud deployment
1. Secure cookie flag — set when BASE_URL starts with https://
2. SameSite=Strict on session cookie (was Lax)
3. Rate limiter — per-IP, 10 failures → 15-min lockout, auto-cleanup goroutine
4. Session rotation on login — old session deleted before issuing new one
(prevents session fixation attacks)
5. bcrypt cost 12 (was DefaultCost/10, OWASP minimum for cloud)
6. Security headers middleware on all responses:
X-Content-Type-Options, X-Frame-Options, Referrer-Policy,
Permissions-Policy, Content-Security-Policy, HSTS (when HTTPS)
7. Structured audit logging — login success/failure/lockout with IP + email
8. Google OAuth state cookie gets Secure flag too
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat(infra): Gitea self-hosted CI/CD + MongoDB PVC + registry pipeline
- Add Gitea Helm deployment (git hosting, container registry, Gitea Actions)
- Add act runner with DinD sidecar for Docker builds in-cluster
- Add RBAC so act runner can kubectl-deploy to finance namespace
- Fix MongoDB StatefulSet: add volumeClaimTemplates (data was lost on restart)
- Configure k3d containerd to mirror git.homelab.local → Gitea NodePort 30002
- Add .gitea/workflows/finance-api.yml: test → build/push → rolling deploy
- Update finance-api deployment: Gitea registry image, imagePullPolicy Always
- Extract finance-api secrets (SESSION_SECRET, Google OAuth) into Terraform
- Add variables.tf for Gitea admin password and runner token
All changes testable on local k3d before the VPS exists.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Gonçalo Rodrigues <guga@Goncalos-MacBook-Pro.local>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
96 lines
2.8 KiB
YAML
96 lines
2.8 KiB
YAML
name: Finance API
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
paths:
|
|
- "apps/finance/**"
|
|
- "pkg/**"
|
|
- "go.mod"
|
|
- "go.sum"
|
|
pull_request:
|
|
paths:
|
|
- "apps/finance/**"
|
|
- "pkg/**"
|
|
|
|
env:
|
|
# Internal Gitea service — reachable from within the cluster (pipeline steps via DinD)
|
|
GITEA_INTERNAL: gitea-http.gitea.svc.cluster.local:3000
|
|
# Public registry hostname — used in k8s image references (containerd mirrors to NodePort 30002)
|
|
REGISTRY: git.homelab.local
|
|
IMAGE: git.homelab.local/admin/finance-api
|
|
|
|
jobs:
|
|
test:
|
|
runs-on: ubuntu-latest
|
|
container:
|
|
image: golang:1.25
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- name: Cache Go modules
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: /go/pkg/mod
|
|
key: go-${{ hashFiles('go.sum') }}
|
|
- name: Test
|
|
run: go test ./apps/finance/... ./pkg/...
|
|
|
|
build-push:
|
|
needs: test
|
|
runs-on: ubuntu-latest
|
|
if: github.ref == 'refs/heads/main'
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Login to Gitea registry
|
|
run: |
|
|
echo "${{ secrets.GITEA_ADMIN_PASSWORD }}" | \
|
|
docker login ${{ env.GITEA_INTERNAL }} -u admin --password-stdin
|
|
|
|
- name: Build and push
|
|
run: |
|
|
SHA=${{ github.sha }}
|
|
# Build image — tag with both sha and latest
|
|
docker build \
|
|
-t ${{ env.GITEA_INTERNAL }}/admin/finance-api:${SHA} \
|
|
-t ${{ env.GITEA_INTERNAL }}/admin/finance-api:latest \
|
|
-f apps/finance/services/api/Dockerfile \
|
|
.
|
|
docker push ${{ env.GITEA_INTERNAL }}/admin/finance-api:${SHA}
|
|
docker push ${{ env.GITEA_INTERNAL }}/admin/finance-api:latest
|
|
|
|
deploy:
|
|
needs: build-push
|
|
runs-on: ubuntu-latest
|
|
if: github.ref == 'refs/heads/main'
|
|
steps:
|
|
- name: Install kubectl
|
|
run: |
|
|
curl -LO "https://dl.k8s.io/release/v1.31.0/bin/linux/amd64/kubectl"
|
|
chmod +x kubectl && mv kubectl /usr/local/bin/
|
|
|
|
# The runner pod has a ServiceAccount with deploy permissions.
|
|
# Mount its token via the act runner valid_volumes config.
|
|
- name: Deploy to cluster
|
|
run: |
|
|
SHA=${{ github.sha }}
|
|
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
|
|
CA=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
|
|
K8S=https://kubernetes.default.svc
|
|
|
|
kubectl \
|
|
--server=$K8S \
|
|
--token=$TOKEN \
|
|
--certificate-authority=$CA \
|
|
set image deployment/api \
|
|
api=${{ env.IMAGE }}:${SHA} \
|
|
-n finance
|
|
|
|
kubectl \
|
|
--server=$K8S \
|
|
--token=$TOKEN \
|
|
--certificate-authority=$CA \
|
|
rollout status deployment/api \
|
|
-n finance \
|
|
--timeout=120s
|