05dd725579
* fix(k8s): expose / without auth so homepage is publicly reachable
Adds a second Ingress (api-public) for the exact path / with no
forward-auth middleware. Traefik prefers the Exact match for the root,
while the Prefix ingress (with auth) still protects all other routes.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: homepage renders correctly at / for unauthenticated visitors
Two fixes:
1. Added parseStandalone() helper — parseTmpl() roots on "" but ParseFS()
stores standalone (no {{define}}) files under their base filename, so
Execute() ran the empty root and returned Content-Length: 0.
2. Added router.priority: 100 annotation to api-public ingress so Traefik
picks the Exact / rule over the Prefix / rule (Traefik ranks by rule
string length by default, which made PathPrefix beat Path).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(k8s): remove forward-auth middleware from finance ingress
The app now handles its own auth at /auth/login — Traefik no longer
needs to forward-auth requests, which was causing redirects to
auth.homelab.local instead of finance.homelab.local.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat(auth): harden authentication for cloud deployment
1. Secure cookie flag — set when BASE_URL starts with https://
2. SameSite=Strict on session cookie (was Lax)
3. Rate limiter — per-IP, 10 failures → 15-min lockout, auto-cleanup goroutine
4. Session rotation on login — old session deleted before issuing new one
(prevents session fixation attacks)
5. bcrypt cost 12 (was DefaultCost/10, OWASP minimum for cloud)
6. Security headers middleware on all responses:
X-Content-Type-Options, X-Frame-Options, Referrer-Policy,
Permissions-Policy, Content-Security-Policy, HSTS (when HTTPS)
7. Structured audit logging — login success/failure/lockout with IP + email
8. Google OAuth state cookie gets Secure flag too
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat(infra): Gitea self-hosted CI/CD + MongoDB PVC + registry pipeline
- Add Gitea Helm deployment (git hosting, container registry, Gitea Actions)
- Add act runner with DinD sidecar for Docker builds in-cluster
- Add RBAC so act runner can kubectl-deploy to finance namespace
- Fix MongoDB StatefulSet: add volumeClaimTemplates (data was lost on restart)
- Configure k3d containerd to mirror git.homelab.local → Gitea NodePort 30002
- Add .gitea/workflows/finance-api.yml: test → build/push → rolling deploy
- Update finance-api deployment: Gitea registry image, imagePullPolicy Always
- Extract finance-api secrets (SESSION_SECRET, Google OAuth) into Terraform
- Add variables.tf for Gitea admin password and runner token
All changes testable on local k3d before the VPS exists.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Gonçalo Rodrigues <guga@Goncalos-MacBook-Pro.local>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
96 lines
2.4 KiB
HCL
96 lines
2.4 KiB
HCL
resource "kubernetes_secret" "gitea_admin" {
|
|
metadata {
|
|
name = "gitea-admin"
|
|
namespace = kubernetes_namespace.domains["gitea"].metadata[0].name
|
|
}
|
|
data = {
|
|
username = "admin"
|
|
password = var.gitea_admin_password
|
|
email = "admin@homelab.local"
|
|
}
|
|
}
|
|
|
|
resource "helm_release" "gitea" {
|
|
name = "gitea"
|
|
namespace = kubernetes_namespace.domains["gitea"].metadata[0].name
|
|
repository = "https://dl.gitea.com/charts/"
|
|
chart = "gitea"
|
|
version = "~> 10.0"
|
|
atomic = true
|
|
timeout = 300
|
|
|
|
values = [yamlencode({
|
|
gitea = {
|
|
admin = {
|
|
existingSecret = kubernetes_secret.gitea_admin.metadata[0].name
|
|
}
|
|
config = {
|
|
APP_NAME = "Homelab Git"
|
|
server = {
|
|
DOMAIN = "git.homelab.local"
|
|
ROOT_URL = "http://git.homelab.local"
|
|
SSH_DOMAIN = "localhost"
|
|
SSH_PORT = 30001
|
|
}
|
|
packages = { ENABLED = "true" }
|
|
service = { DISABLE_REGISTRATION = "true" }
|
|
log = { LEVEL = "Warn" }
|
|
}
|
|
}
|
|
|
|
ingress = {
|
|
enabled = true
|
|
className = "traefik"
|
|
hosts = [{
|
|
host = "git.homelab.local"
|
|
paths = [{ path = "/", pathType = "Prefix" }]
|
|
}]
|
|
}
|
|
|
|
# NodePort 30002: used by k3d containerd registry mirror (see k3d/config.yaml)
|
|
service = {
|
|
http = {
|
|
type = "NodePort"
|
|
port = 3000
|
|
nodePort = 30002
|
|
}
|
|
ssh = {
|
|
type = "NodePort"
|
|
port = 22
|
|
nodePort = 30001
|
|
}
|
|
}
|
|
|
|
persistence = {
|
|
enabled = true
|
|
size = "10Gi"
|
|
storageClass = "local-path"
|
|
}
|
|
|
|
resources = {
|
|
requests = { cpu = "100m", memory = "256Mi" }
|
|
limits = { cpu = "500m", memory = "512Mi" }
|
|
}
|
|
})]
|
|
}
|
|
|
|
# imagePullSecret for finance namespace — allows k8s to pull images from Gitea registry.
|
|
# Containerd mirrors "git.homelab.local" to localhost:30002 (see k3d/config.yaml) and
|
|
# forwards these credentials to authenticate against the Gitea NodePort.
|
|
resource "kubernetes_secret" "gitea_registry_finance" {
|
|
metadata {
|
|
name = "gitea-registry"
|
|
namespace = kubernetes_namespace.domains["finance"].metadata[0].name
|
|
}
|
|
type = "kubernetes.io/dockerconfigjson"
|
|
data = {
|
|
".dockerconfigjson" = jsonencode({
|
|
auths = {
|
|
"git.homelab.local" = {
|
|
auth = base64encode("admin:${var.gitea_admin_password}")
|
|
}
|
|
}
|
|
})
|
|
}
|
|
}
|