05dd725579
* fix(k8s): expose / without auth so homepage is publicly reachable
Adds a second Ingress (api-public) for the exact path / with no
forward-auth middleware. Traefik prefers the Exact match for the root,
while the Prefix ingress (with auth) still protects all other routes.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: homepage renders correctly at / for unauthenticated visitors
Two fixes:
1. Added parseStandalone() helper — parseTmpl() roots on "" but ParseFS()
stores standalone (no {{define}}) files under their base filename, so
Execute() ran the empty root and returned Content-Length: 0.
2. Added router.priority: 100 annotation to api-public ingress so Traefik
picks the Exact / rule over the Prefix / rule (Traefik ranks by rule
string length by default, which made PathPrefix beat Path).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(k8s): remove forward-auth middleware from finance ingress
The app now handles its own auth at /auth/login — Traefik no longer
needs to forward-auth requests, which was causing redirects to
auth.homelab.local instead of finance.homelab.local.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat(auth): harden authentication for cloud deployment
1. Secure cookie flag — set when BASE_URL starts with https://
2. SameSite=Strict on session cookie (was Lax)
3. Rate limiter — per-IP, 10 failures → 15-min lockout, auto-cleanup goroutine
4. Session rotation on login — old session deleted before issuing new one
(prevents session fixation attacks)
5. bcrypt cost 12 (was DefaultCost/10, OWASP minimum for cloud)
6. Security headers middleware on all responses:
X-Content-Type-Options, X-Frame-Options, Referrer-Policy,
Permissions-Policy, Content-Security-Policy, HSTS (when HTTPS)
7. Structured audit logging — login success/failure/lockout with IP + email
8. Google OAuth state cookie gets Secure flag too
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat(infra): Gitea self-hosted CI/CD + MongoDB PVC + registry pipeline
- Add Gitea Helm deployment (git hosting, container registry, Gitea Actions)
- Add act runner with DinD sidecar for Docker builds in-cluster
- Add RBAC so act runner can kubectl-deploy to finance namespace
- Fix MongoDB StatefulSet: add volumeClaimTemplates (data was lost on restart)
- Configure k3d containerd to mirror git.homelab.local → Gitea NodePort 30002
- Add .gitea/workflows/finance-api.yml: test → build/push → rolling deploy
- Update finance-api deployment: Gitea registry image, imagePullPolicy Always
- Extract finance-api secrets (SESSION_SECRET, Google OAuth) into Terraform
- Add variables.tf for Gitea admin password and runner token
All changes testable on local k3d before the VPS exists.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Gonçalo Rodrigues <guga@Goncalos-MacBook-Pro.local>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
45 lines
1023 B
YAML
45 lines
1023 B
YAML
---
|
|
apiVersion: k3d.io/v1alpha5
|
|
kind: Simple
|
|
metadata:
|
|
name: homelab
|
|
|
|
servers: 1
|
|
agents: 1
|
|
|
|
ports:
|
|
- port: 5001:80
|
|
nodeFilters:
|
|
- loadbalancer
|
|
- port: 443:443
|
|
nodeFilters:
|
|
- loadbalancer
|
|
- port: 30000-30010:30000-30010
|
|
nodeFilters:
|
|
- loadbalancer
|
|
|
|
# Registry mirror: k3s containerd pulls "git.homelab.local/..." images by redirecting
|
|
# to the Gitea NodePort (30002) on localhost inside the k3d node container.
|
|
# This is set up once at cluster creation — changing it requires recreating the cluster:
|
|
# k3d cluster delete homelab && k3d cluster create --config infrastructure/k3d/config.yaml
|
|
registries:
|
|
config: |
|
|
mirrors:
|
|
"git.homelab.local":
|
|
endpoint:
|
|
- "http://localhost:30002"
|
|
configs:
|
|
"localhost:30002":
|
|
tls:
|
|
insecure_skip_verify: true
|
|
|
|
options:
|
|
k3s:
|
|
extraArgs:
|
|
- arg: --disable=traefik
|
|
nodeFilters:
|
|
- server:*
|
|
kubeconfig:
|
|
updateDefaultKubeconfig: true
|
|
switchCurrentContext: true
|