viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/stacks/terminal/main.tf

485 lines
15 KiB
Terraform
Raw Normal View History

Add terminal stack - reverse proxy to ttyd behind authentik Exposes ttyd at 10.0.10.10:7681 via terminal.viktorbarzin.me with Cloudflare DNS and Authentik forward-auth protection.
2026-03-10 23:46:01 +00:00
variable "tls_secret_name" {
type = string
sensitive = true
}
resource "kubernetes_namespace" "terminal" {
metadata {
name = "terminal"
labels = {
"istio-injection" : "disabled"
terminal: probe + alerts after Traefik replica routing-table skew User reported "site loads but failed to connect on the tmux session". Root cause was a Traefik replica (traefik-db7696fbf-ktjjz) that came up missing the kubernetes_ingress-derived router for terminal.viktorbarzin.me — only the IngressRoute CRDs registered. About 1/3 of /token preflight requests landed on that replica and got 404 with router="-", and WS upgrades intermittently failed the same way, so the lobby iframe stayed stuck on "Failed to connect. Retrying...". `kubectl delete pod` on the bad replica restored the missing router and unblocked the user. This commit adds the long-term mitigation: stacks/terminal/main.tf - kubernetes_cron_job_v1.webterminal_probe runs every 5min, hits /token + /ws via Cloudflare and the in-cluster ttyd Service, pushes 4 gauges to Pushgateway (token_status, ws_status, ttyd_status, last_success_timestamp). Verified the probe end-to-end: token=302 ws=302 ttyd=200 ok=1 stacks/monitoring/modules/monitoring/prometheus_chart_values.tpl - Webterminal group: WebterminalTokenDegraded (warning, 10m), WebterminalWebsocketDegraded (critical, 10m), WebterminalTtydUnreachable (critical, 10m), WebterminalProbeStale (warning, 15m). - Traefik Router Parity group: TraefikRouterCountSkew fires when any Traefik replica's router count diverges from siblings for >10m — catches the same class of issue cluster-wide, not just for terminal. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-17 10:04:26 +00:00
tier = local.tiers.aux
recruiter-responder: bump image_tag to 189ef901 OpenClaw can now answer 'what do we know about <company>?' from cache via the new recruiter_company_research tool, and recruiter_get embeds the cached research payload inline. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-16 12:41:05 +00:00
"keel.sh/enrolled" = "true"
Add terminal stack - reverse proxy to ttyd behind authentik Exposes ttyd at 10.0.10.10:7681 via terminal.viktorbarzin.me with Cloudflare DNS and Authentik forward-auth protection.
2026-03-10 23:46:01 +00:00
}
}
[infra] Suppress Goldilocks vpa-update-mode label drift on all namespaces [ci skip] ## Context Wave 3B-continued: the Goldilocks VPA dashboard (stacks/vpa) runs a Kyverno ClusterPolicy `goldilocks-vpa-auto-mode` that mutates every namespace with `metadata.labels["goldilocks.fairwinds.com/vpa-update-mode"] = "off"`. This is intentional — Terraform owns container resource limits, and Goldilocks should only provide recommendations, never auto-update. The label is how Goldilocks decides per-namespace whether to run its VPA in `off` mode. Effect on Terraform: every `kubernetes_namespace` resource shows the label as pending-removal (`-> null`) on every `scripts/tg plan`. Dawarich survey 2026-04-18 confirmed the drift. Cluster-side count: 88 namespaces carry the label (`kubectl get ns -o json | jq ... | wc -l`). Every TF-managed namespace is affected. This commit brings the intentional admission drift under the same `# KYVERNO_LIFECYCLE_V1` discoverability marker introduced in c9d221d5 for the ndots dns_config pattern. The marker now stands generically for any Kyverno admission-webhook drift suppression; the inline comment records which specific policy stamps which specific field so future grep audits show why each suppression exists. ## This change 107 `.tf` files touched — every stack's `resource "kubernetes_namespace"` resource gets: ```hcl lifecycle { # KYVERNO_LIFECYCLE_V1: goldilocks-vpa-auto-mode ClusterPolicy stamps this label on every namespace ignore_changes = [metadata[0].labels["goldilocks.fairwinds.com/vpa-update-mode"]] } ``` Injection was done with a brace-depth-tracking Python pass (`/tmp/add_goldilocks_ignore.py`): match `^resource "kubernetes_namespace" ` → track `{` / `}` until the outermost closing brace → insert the lifecycle block before the closing brace. The script is idempotent (skips any file that already mentions `goldilocks.fairwinds.com/vpa-update-mode`) so re-running is safe. Vault stack picked up 2 namespaces in the same file (k8s-users produces one, plus a second explicit ns) — confirmed via file diff (+8 lines). ## What is NOT in this change - `stacks/trading-bot/main.tf` — entire file is `/* … */` commented out (paused 2026-04-06 per user decision). Reverted after the script ran. - `stacks/_template/main.tf.example` — per-stack skeleton, intentionally minimal. User keeps it that way. Not touched by the script (file has no real `resource "kubernetes_namespace"` — only a placeholder comment). - `.terraform/` copies (e.g. `stacks/metallb/.terraform/modules/...`) — gitignored, won't commit; the live path was edited. - `terraform fmt` cleanup of adjacent pre-existing alignment issues in authentik, freedify, hermes-agent, nvidia, vault, meshcentral. Reverted to keep the commit scoped to the Goldilocks sweep. Those files will need a separate fmt-only commit or will be cleaned up on next real apply to that stack. ## Verification Dawarich (one of the hundred-plus touched stacks) showed the pattern before and after: ``` $ cd stacks/dawarich && ../../scripts/tg plan Before: Plan: 0 to add, 2 to change, 0 to destroy. # kubernetes_namespace.dawarich will be updated in-place (goldilocks.fairwinds.com/vpa-update-mode -> null) # module.tls_secret.kubernetes_secret.tls_secret will be updated in-place (Kyverno generate.* labels — fixed in 8d94688d) After: No changes. Your infrastructure matches the configuration. ``` Injection count check: ``` $ rg -c 'KYVERNO_LIFECYCLE_V1: goldilocks-vpa-auto-mode' stacks/ | awk -F: '{s+=$2} END {print s}' 108 ``` ## Reproduce locally 1. `git pull` 2. Pick any stack: `cd stacks/<name> && ../../scripts/tg plan` 3. Expect: no drift on the namespace's goldilocks.fairwinds.com/vpa-update-mode label. Closes: code-dwx Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-18 21:15:27 +00:00
lifecycle {
# KYVERNO_LIFECYCLE_V1: goldilocks-vpa-auto-mode ClusterPolicy stamps this label on every namespace
ignore_changes = [metadata[0].labels["goldilocks.fairwinds.com/vpa-update-mode"]]
}
Add terminal stack - reverse proxy to ttyd behind authentik Exposes ttyd at 10.0.10.10:7681 via terminal.viktorbarzin.me with Cloudflare DNS and Authentik forward-auth protection.
2026-03-10 23:46:01 +00:00
}
module "tls_secret" {
source = "../../modules/kubernetes/setup_tls_secret"
namespace = kubernetes_namespace.terminal.metadata[0].name
tls_secret_name = var.tls_secret_name
}
# Service + Endpoints to reverse-proxy to ttyd at 10.0.10.10:7681
resource "kubernetes_service" "terminal" {
metadata {
name = "terminal"
namespace = kubernetes_namespace.terminal.metadata[0].name
labels = {
app = "terminal"
}
}
spec {
port {
name = "http"
port = 80
target_port = 7681
}
}
}
resource "kubernetes_endpoints" "terminal" {
metadata {
name = "terminal"
namespace = kubernetes_namespace.terminal.metadata[0].name
}
subset {
address {
ip = "10.0.10.10"
}
port {
name = "http"
port = 7681
}
}
}
module "ingress" {
source = "../../modules/kubernetes/ingress_factory"
[infra] Auto-create Cloudflare DNS records from ingress_factory ## Context Deploying new services required manually adding hostnames to cloudflare_proxied_names/cloudflare_non_proxied_names in config.tfvars — a separate file from the service stack. This was frequently forgotten, leaving services unreachable externally. ## This change: - Add `dns_type` parameter to `ingress_factory` and `reverse_proxy/factory` modules. Setting `dns_type = "proxied"` or `"non-proxied"` auto-creates the Cloudflare DNS record (CNAME to tunnel or A/AAAA to public IP). - Simplify cloudflared tunnel from 100 per-hostname rules to wildcard `*.viktorbarzin.me → Traefik`. Traefik still handles host-based routing. - Add global Cloudflare provider via terragrunt.hcl (separate cloudflare_provider.tf with Vault-sourced API key). - Migrate 118 hostnames from centralized config.tfvars to per-service dns_type. 17 hostnames remain centrally managed (Helm ingresses, special cases). - Update docs, AGENTS.md, CLAUDE.md, dns.md runbook. ``` BEFORE AFTER config.tfvars (manual list) stacks/<svc>/main.tf | module "ingress" { v dns_type = "proxied" stacks/cloudflared/ } for_each = list | cloudflare_record auto-creates tunnel per-hostname cloudflare_record + annotation ``` ## What is NOT in this change: - Uptime Kuma monitor migration (still reads from config.tfvars) - 17 remaining centrally-managed hostnames (Helm, special cases) - Removal of allow_overwrite (keep until migration confirmed stable) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 13:45:04 +00:00
dns_type = "proxied"
Add terminal stack - reverse proxy to ttyd behind authentik Exposes ttyd at 10.0.10.10:7681 via terminal.viktorbarzin.me with Cloudflare DNS and Authentik forward-auth protection.
2026-03-10 23:46:01 +00:00
namespace = kubernetes_namespace.terminal.metadata[0].name
name = "terminal"
tls_secret_name = var.tls_secret_name
ingress_factory: replace `protected` bool with `auth` enum + audit pass across 100 stacks Phase 3+4 of default-deny ingress plan. Replaces the `protected = bool` (default false → unprotected) variable in `modules/kubernetes/ingress_factory` with `auth = string` enum (default "required" → fail-closed). Touches every ingress_factory caller so the audit decision is recorded explicitly in code. ingress_factory (Phase 3): - `auth = "required"`: standard Authentik forward-auth (the legacy `protected = true` semantic). - `auth = "public"`: forward-auth via the new `authentik-forward-auth-public` middleware → dedicated public outpost → guest auto-bind. Logged-in users keep their real identity. - `auth = "none"`: no Authentik middleware. For Anubis-fronted content, native client APIs (Git, /v2/, WebDAV), webhook receivers, the Authentik outpost itself. - `effective_anti_ai` default flips ON only when `auth = "none"` (auth-gated ingresses don't need anti-AI noise; the auth flow already discourages bots). Audit pass (Phase 4) across 96 ingress_factory call sites: - 49 explicit `protected = true` → `auth = "required"` - 8 explicit `protected = false` → `auth = "none"` (5) or `auth = "public"` (3) - 64 previously-default (no protected line) → `auth = "required"` ADDED, then reviewed individually: * 9 Anubis-fronted (blog, www, kms, travel, f1, cyberchef, jsoncrack, homepage, wrongmove UI, privatebin) → `auth = "none"` * 22 native-client / programmatic surfaces (Forgejo Git+/v2/, webhook handler, claude-memory MCP, Nextcloud WebDAV, Matrix, Vault CLI/OIDC, xray VPN, ntfy, woodpecker webhooks, n8n triggers, ntfy push, dawarich location ingestion, immich frame kiosk, headscale CP, send anonymous drops, rybbit beacon, vaultwarden API, Authentik UI itself + outposts) → `auth = "none"` * Remaining ~33 → `auth = "required"` confirmed (admin tools, internal UIs, services without app-level auth) - Smoke-test promotions to `auth = "public"`: fire-planner public UI, k8s-portal API, insta2spotify callback. Three call sites in wrapper modules (`stacks/freedify/factory/`, `stacks/reverse-proxy/modules/reverse_proxy/`) keep their internal `protected` bool — they translate to `auth` internally, out of scope for this rename. Behavior change: previously-default ingresses now fail closed (require Authentik login) unless explicitly flipped to `auth = "none"` or `auth = "public"`. This is the audit goal — no more accidentally-unprotected surfaces. Sites that were intentionally public (Anubis content, native APIs, webhooks) are now explicitly recorded as `auth = "none"`. Drive-by: `modules/create-vm/main.tf` picked up cosmetic alignment via `terraform fmt -recursive` during the audit. Behavior-neutral. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-10 18:53:49 +00:00
auth = "required"
Add terminal stack - reverse proxy to ttyd behind authentik Exposes ttyd at 10.0.10.10:7681 via terminal.viktorbarzin.me with Cloudflare DNS and Authentik forward-auth protection.
2026-03-10 23:46:01 +00:00
extra_annotations = {
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "Terminal"
"gethomepage.dev/description" = "Web terminal (ttyd)"
"gethomepage.dev/icon" = "mdi-console"
"gethomepage.dev/group" = "Infrastructure"
"gethomepage.dev/pod-selector" = ""
}
}
misc: actualbudget, authentik, headscale, rybbit, terminal, dbaas updates - actualbudget: adjust resource config - authentik: add configuration - headscale: minor fix - rybbit: add resources - terminal: add terminal stack config - platform/dbaas: add config - infra: update lock file
2026-04-06 11:58:00 +03:00
# Read-only terminal session at terminal-ro.viktorbarzin.me
resource "kubernetes_service" "terminal_ro" {
metadata {
name = "terminal-ro"
namespace = kubernetes_namespace.terminal.metadata[0].name
labels = {
app = "terminal-ro"
}
}
spec {
port {
name = "http"
port = 80
target_port = 7682
}
}
}
resource "kubernetes_endpoints" "terminal_ro" {
metadata {
name = "terminal-ro"
namespace = kubernetes_namespace.terminal.metadata[0].name
}
subset {
address {
ip = "10.0.10.10"
}
port {
name = "http"
port = 7682
}
}
}
feat(terminal): add clipboard paste support for text and images - Custom index.html with xterm.js for reliable Ctrl+V text paste - Go clipboard-upload service saves pasted images to /tmp/clipboard-images/ - Traefik IngressRoute routes /clipboard/* to upload service (same-origin) - Authentik-protected upload path with strip-prefix middleware
2026-04-06 16:57:18 +03:00
# Clipboard image upload service (same-origin path routing)
resource "kubernetes_service" "clipboard_upload" {
metadata {
name = "clipboard-upload"
namespace = kubernetes_namespace.terminal.metadata[0].name
labels = {
app = "clipboard-upload"
}
}
spec {
port {
name = "http"
port = 80
target_port = 7683
}
}
}
resource "kubernetes_endpoints" "clipboard_upload" {
metadata {
name = "clipboard-upload"
namespace = kubernetes_namespace.terminal.metadata[0].name
}
subset {
address {
ip = "10.0.10.10"
}
port {
name = "http"
port = 7683
}
}
}
# IngressRoute for /clipboard/* on terminal.viktorbarzin.me → clipboard-upload service
resource "kubernetes_manifest" "clipboard_ingressroute" {
manifest = {
apiVersion = "traefik.io/v1alpha1"
kind = "IngressRoute"
metadata = {
name = "clipboard-upload"
namespace = kubernetes_namespace.terminal.metadata[0].name
}
spec = {
entryPoints = ["websecure"]
routes = [{
match = "Host(`terminal.viktorbarzin.me`) && PathPrefix(`/clipboard/`)"
kind = "Rule"
middlewares = [
{
name = "authentik-forward-auth"
namespace = "traefik"
},
{
name = "clipboard-strip-prefix"
namespace = kubernetes_namespace.terminal.metadata[0].name
}
]
services = [{
name = "clipboard-upload"
port = 80
}]
}]
tls = {
secretName = var.tls_secret_name
}
}
}
}
resource "kubernetes_manifest" "clipboard_strip_prefix" {
manifest = {
apiVersion = "traefik.io/v1alpha1"
kind = "Middleware"
metadata = {
name = "clipboard-strip-prefix"
namespace = kubernetes_namespace.terminal.metadata[0].name
}
spec = {
stripPrefix = {
prefixes = ["/clipboard"]
}
}
}
}
misc: actualbudget, authentik, headscale, rybbit, terminal, dbaas updates - actualbudget: adjust resource config - authentik: add configuration - headscale: minor fix - rybbit: add resources - terminal: add terminal stack config - platform/dbaas: add config - infra: update lock file
2026-04-06 11:58:00 +03:00
module "ingress_ro" {
source = "../../modules/kubernetes/ingress_factory"
[infra] Auto-create Cloudflare DNS records from ingress_factory ## Context Deploying new services required manually adding hostnames to cloudflare_proxied_names/cloudflare_non_proxied_names in config.tfvars — a separate file from the service stack. This was frequently forgotten, leaving services unreachable externally. ## This change: - Add `dns_type` parameter to `ingress_factory` and `reverse_proxy/factory` modules. Setting `dns_type = "proxied"` or `"non-proxied"` auto-creates the Cloudflare DNS record (CNAME to tunnel or A/AAAA to public IP). - Simplify cloudflared tunnel from 100 per-hostname rules to wildcard `*.viktorbarzin.me → Traefik`. Traefik still handles host-based routing. - Add global Cloudflare provider via terragrunt.hcl (separate cloudflare_provider.tf with Vault-sourced API key). - Migrate 118 hostnames from centralized config.tfvars to per-service dns_type. 17 hostnames remain centrally managed (Helm ingresses, special cases). - Update docs, AGENTS.md, CLAUDE.md, dns.md runbook. ``` BEFORE AFTER config.tfvars (manual list) stacks/<svc>/main.tf | module "ingress" { v dns_type = "proxied" stacks/cloudflared/ } for_each = list | cloudflare_record auto-creates tunnel per-hostname cloudflare_record + annotation ``` ## What is NOT in this change: - Uptime Kuma monitor migration (still reads from config.tfvars) - 17 remaining centrally-managed hostnames (Helm, special cases) - Removal of allow_overwrite (keep until migration confirmed stable) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 13:45:04 +00:00
dns_type = "proxied"
misc: actualbudget, authentik, headscale, rybbit, terminal, dbaas updates - actualbudget: adjust resource config - authentik: add configuration - headscale: minor fix - rybbit: add resources - terminal: add terminal stack config - platform/dbaas: add config - infra: update lock file
2026-04-06 11:58:00 +03:00
namespace = kubernetes_namespace.terminal.metadata[0].name
name = "terminal-ro"
tls_secret_name = var.tls_secret_name
ingress_factory: replace `protected` bool with `auth` enum + audit pass across 100 stacks Phase 3+4 of default-deny ingress plan. Replaces the `protected = bool` (default false → unprotected) variable in `modules/kubernetes/ingress_factory` with `auth = string` enum (default "required" → fail-closed). Touches every ingress_factory caller so the audit decision is recorded explicitly in code. ingress_factory (Phase 3): - `auth = "required"`: standard Authentik forward-auth (the legacy `protected = true` semantic). - `auth = "public"`: forward-auth via the new `authentik-forward-auth-public` middleware → dedicated public outpost → guest auto-bind. Logged-in users keep their real identity. - `auth = "none"`: no Authentik middleware. For Anubis-fronted content, native client APIs (Git, /v2/, WebDAV), webhook receivers, the Authentik outpost itself. - `effective_anti_ai` default flips ON only when `auth = "none"` (auth-gated ingresses don't need anti-AI noise; the auth flow already discourages bots). Audit pass (Phase 4) across 96 ingress_factory call sites: - 49 explicit `protected = true` → `auth = "required"` - 8 explicit `protected = false` → `auth = "none"` (5) or `auth = "public"` (3) - 64 previously-default (no protected line) → `auth = "required"` ADDED, then reviewed individually: * 9 Anubis-fronted (blog, www, kms, travel, f1, cyberchef, jsoncrack, homepage, wrongmove UI, privatebin) → `auth = "none"` * 22 native-client / programmatic surfaces (Forgejo Git+/v2/, webhook handler, claude-memory MCP, Nextcloud WebDAV, Matrix, Vault CLI/OIDC, xray VPN, ntfy, woodpecker webhooks, n8n triggers, ntfy push, dawarich location ingestion, immich frame kiosk, headscale CP, send anonymous drops, rybbit beacon, vaultwarden API, Authentik UI itself + outposts) → `auth = "none"` * Remaining ~33 → `auth = "required"` confirmed (admin tools, internal UIs, services without app-level auth) - Smoke-test promotions to `auth = "public"`: fire-planner public UI, k8s-portal API, insta2spotify callback. Three call sites in wrapper modules (`stacks/freedify/factory/`, `stacks/reverse-proxy/modules/reverse_proxy/`) keep their internal `protected` bool — they translate to `auth` internally, out of scope for this rename. Behavior change: previously-default ingresses now fail closed (require Authentik login) unless explicitly flipped to `auth = "none"` or `auth = "public"`. This is the audit goal — no more accidentally-unprotected surfaces. Sites that were intentionally public (Anubis content, native APIs, webhooks) are now explicitly recorded as `auth = "none"`. Drive-by: `modules/create-vm/main.tf` picked up cosmetic alignment via `terraform fmt -recursive` during the audit. Behavior-neutral. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-10 18:53:49 +00:00
auth = "required"
misc: actualbudget, authentik, headscale, rybbit, terminal, dbaas updates - actualbudget: adjust resource config - authentik: add configuration - headscale: minor fix - rybbit: add resources - terminal: add terminal stack config - platform/dbaas: add config - infra: update lock file
2026-04-06 11:58:00 +03:00
extra_annotations = {
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "Terminal (Read-Only)"
"gethomepage.dev/description" = "Read-only web terminal (ttyd)"
"gethomepage.dev/icon" = "mdi-console"
"gethomepage.dev/group" = "Infrastructure"
"gethomepage.dev/pod-selector" = ""
}
}
terminal: add multi-tmux-session lobby on term.viktorbarzin.me (additive) New hostname term.viktorbarzin.me serves a session-picker UI that lists, creates, and kills tmux sessions. Visiting ?arg=<name> attaches to that session (auto-creates via tmux -A). Builds on a fresh ttyd instance (7685) plus a tmux-api Go binary (7684) on the DevVM, both running as User=wizard alongside (not replacing) the existing ttyd.service (7681), ttyd-ro.service (7682), and clipboard-upload (7683). Cutover of terminal.viktorbarzin.me to the multi-session setup is deferred. Terraform diff is purely additive — terminal-multi/tmux-api Service + Endpoints + ingress_multi (term.viktorbarzin.me, Authentik-gated) + an IngressRoute that path-prefixes /api/sessions/* to tmux-api with the matching strip-prefix Middleware. DevVM-side units ship under files/devvm/ with a README — manual scp + systemctl install (see files/devvm/README.md). ttyd 1.7.7 already deployed there (≥1.7 needed for -a). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-13 15:24:04 +00:00
terminal: extract app code to viktor/terminal-lobby on Forgejo The lobby has grown enough (frontend, two Go services, devvm units + scripts + config) that it earns its own repo. Code now lives at https://forgejo.viktorbarzin.me/viktor/terminal-lobby with scripts/deploy.sh covering the manual deploy until CI activation lands (Woodpecker forge_id=2 activation still 500s; Forgejo Actions not yet enabled). This stack now owns only the K8s side — Services, Endpoints, IngressRoutes, middlewares. main.tf comment block updated to point at the new repo and the full DevVM port map. Removed: - stacks/terminal/files/ (index.html + DevVM artefacts) - stacks/terminal/tmux-api/ (Go service) - stacks/terminal/clipboard-upload/ (Go service)
2026-05-13 21:10:56 +00:00
# === Multi-session lobby on terminal.viktorbarzin.me ===
terminal: add multi-tmux-session lobby on term.viktorbarzin.me (additive) New hostname term.viktorbarzin.me serves a session-picker UI that lists, creates, and kills tmux sessions. Visiting ?arg=<name> attaches to that session (auto-creates via tmux -A). Builds on a fresh ttyd instance (7685) plus a tmux-api Go binary (7684) on the DevVM, both running as User=wizard alongside (not replacing) the existing ttyd.service (7681), ttyd-ro.service (7682), and clipboard-upload (7683). Cutover of terminal.viktorbarzin.me to the multi-session setup is deferred. Terraform diff is purely additive — terminal-multi/tmux-api Service + Endpoints + ingress_multi (term.viktorbarzin.me, Authentik-gated) + an IngressRoute that path-prefixes /api/sessions/* to tmux-api with the matching strip-prefix Middleware. DevVM-side units ship under files/devvm/ with a README — manual scp + systemctl install (see files/devvm/README.md). ttyd 1.7.7 already deployed there (≥1.7 needed for -a). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-13 15:24:04 +00:00
#
terminal: extract app code to viktor/terminal-lobby on Forgejo The lobby has grown enough (frontend, two Go services, devvm units + scripts + config) that it earns its own repo. Code now lives at https://forgejo.viktorbarzin.me/viktor/terminal-lobby with scripts/deploy.sh covering the manual deploy until CI activation lands (Woodpecker forge_id=2 activation still 500s; Forgejo Actions not yet enabled). This stack now owns only the K8s side — Services, Endpoints, IngressRoutes, middlewares. main.tf comment block updated to point at the new repo and the full DevVM port map. Removed: - stacks/terminal/files/ (index.html + DevVM artefacts) - stacks/terminal/tmux-api/ (Go service) - stacks/terminal/clipboard-upload/ (Go service)
2026-05-13 21:10:56 +00:00
# Application code (frontend, tmux-api, clipboard-upload, DevVM
# systemd units / scripts / config) lives in a separate Forgejo repo:
# https://forgejo.viktorbarzin.me/viktor/terminal-lobby
terminal: cut over to multi-session lobby on terminal.viktorbarzin.me Promotes the staged multi-session UX from term.viktorbarzin.me to the primary terminal.viktorbarzin.me hostname. `ttyd.service` on the DevVM moves to the same ExecStart that `ttyd-multi.service` was running: `/usr/local/bin/ttyd -W -a -t enableClipboard=true -I /usr/local/share/ttyd/index.html -p 7681 /usr/local/bin/tmux-attach.sh`. The lobby HTML supersedes the old per-user-attach index.html (ttyd-session.sh wrapper retired alongside). Terraform: retires the `terminal-multi` Service+Endpoints and the term.viktorbarzin.me ingress (Cloudflare DNS record for `term` is released by module deletion). The tmux-api Service+Endpoints stay, but its IngressRoute now matches terminal.viktorbarzin.me — same path-prefix specificity wins against the catch-all ingress. DevVM follow-up (applied manually as before — see files/devvm/README.md): restart ttyd to pick up the new unit, stop+disable ttyd-multi.service.
2026-05-13 16:34:11 +00:00
#
terminal: extract app code to viktor/terminal-lobby on Forgejo The lobby has grown enough (frontend, two Go services, devvm units + scripts + config) that it earns its own repo. Code now lives at https://forgejo.viktorbarzin.me/viktor/terminal-lobby with scripts/deploy.sh covering the manual deploy until CI activation lands (Woodpecker forge_id=2 activation still 500s; Forgejo Actions not yet enabled). This stack now owns only the K8s side — Services, Endpoints, IngressRoutes, middlewares. main.tf comment block updated to point at the new repo and the full DevVM port map. Removed: - stacks/terminal/files/ (index.html + DevVM artefacts) - stacks/terminal/tmux-api/ (Go service) - stacks/terminal/clipboard-upload/ (Go service)
2026-05-13 21:10:56 +00:00
# That repo's ./scripts/deploy.sh ships everything to wizard@10.0.10.10
# and restarts ttyd / ttyd-ro / tmux-api / clipboard-upload. This stack
# only owns the Kubernetes side: Services, Endpoints pointing at
# 10.0.10.10:{7681,7682,7683,7684}, the IngressRoutes, and the Traefik
# middlewares that gate everything behind Authentik forward-auth.
#
# Service map (DevVM):
# ttyd :7681 → serves lobby + xterm WS
# ttyd-ro :7682 → read-only mirror at terminal-ro.viktorbarzin.me
# clipboard-upload :7683 → POST /upload, returns saved path
# tmux-api :7684 → GET /sessions, DELETE /sessions/<n>,
# POST /sessions/<n>/rename, GET /whoami
terminal: add multi-tmux-session lobby on term.viktorbarzin.me (additive) New hostname term.viktorbarzin.me serves a session-picker UI that lists, creates, and kills tmux sessions. Visiting ?arg=<name> attaches to that session (auto-creates via tmux -A). Builds on a fresh ttyd instance (7685) plus a tmux-api Go binary (7684) on the DevVM, both running as User=wizard alongside (not replacing) the existing ttyd.service (7681), ttyd-ro.service (7682), and clipboard-upload (7683). Cutover of terminal.viktorbarzin.me to the multi-session setup is deferred. Terraform diff is purely additive — terminal-multi/tmux-api Service + Endpoints + ingress_multi (term.viktorbarzin.me, Authentik-gated) + an IngressRoute that path-prefixes /api/sessions/* to tmux-api with the matching strip-prefix Middleware. DevVM-side units ship under files/devvm/ with a README — manual scp + systemctl install (see files/devvm/README.md). ttyd 1.7.7 already deployed there (≥1.7 needed for -a). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-13 15:24:04 +00:00
# Service+Endpoints → tmux-api on the DevVM (port 7684).
resource "kubernetes_service" "tmux_api" {
metadata {
name = "tmux-api"
namespace = kubernetes_namespace.terminal.metadata[0].name
labels = {
app = "tmux-api"
}
}
spec {
port {
name = "http"
port = 80
target_port = 7684
}
}
}
resource "kubernetes_endpoints" "tmux_api" {
metadata {
name = "tmux-api"
namespace = kubernetes_namespace.terminal.metadata[0].name
}
subset {
address {
ip = "10.0.10.10"
}
port {
name = "http"
port = 7684
}
}
}
terminal: cut over to multi-session lobby on terminal.viktorbarzin.me Promotes the staged multi-session UX from term.viktorbarzin.me to the primary terminal.viktorbarzin.me hostname. `ttyd.service` on the DevVM moves to the same ExecStart that `ttyd-multi.service` was running: `/usr/local/bin/ttyd -W -a -t enableClipboard=true -I /usr/local/share/ttyd/index.html -p 7681 /usr/local/bin/tmux-attach.sh`. The lobby HTML supersedes the old per-user-attach index.html (ttyd-session.sh wrapper retired alongside). Terraform: retires the `terminal-multi` Service+Endpoints and the term.viktorbarzin.me ingress (Cloudflare DNS record for `term` is released by module deletion). The tmux-api Service+Endpoints stay, but its IngressRoute now matches terminal.viktorbarzin.me — same path-prefix specificity wins against the catch-all ingress. DevVM follow-up (applied manually as before — see files/devvm/README.md): restart ttyd to pick up the new unit, stop+disable ttyd-multi.service.
2026-05-13 16:34:11 +00:00
# IngressRoute: /api/sessions/* on terminal.viktorbarzin.me → tmux-api
# service. Path-prefix specificity beats the catch-all `module.ingress`
# (terminal.viktorbarzin.me → ttyd) above, so the lobby HTML reaches
# tmux-api directly while everything else flows to ttyd.
terminal: add multi-tmux-session lobby on term.viktorbarzin.me (additive) New hostname term.viktorbarzin.me serves a session-picker UI that lists, creates, and kills tmux sessions. Visiting ?arg=<name> attaches to that session (auto-creates via tmux -A). Builds on a fresh ttyd instance (7685) plus a tmux-api Go binary (7684) on the DevVM, both running as User=wizard alongside (not replacing) the existing ttyd.service (7681), ttyd-ro.service (7682), and clipboard-upload (7683). Cutover of terminal.viktorbarzin.me to the multi-session setup is deferred. Terraform diff is purely additive — terminal-multi/tmux-api Service + Endpoints + ingress_multi (term.viktorbarzin.me, Authentik-gated) + an IngressRoute that path-prefixes /api/sessions/* to tmux-api with the matching strip-prefix Middleware. DevVM-side units ship under files/devvm/ with a README — manual scp + systemctl install (see files/devvm/README.md). ttyd 1.7.7 already deployed there (≥1.7 needed for -a). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-13 15:24:04 +00:00
resource "kubernetes_manifest" "tmux_api_ingressroute" {
manifest = {
apiVersion = "traefik.io/v1alpha1"
kind = "IngressRoute"
metadata = {
name = "tmux-api"
namespace = kubernetes_namespace.terminal.metadata[0].name
}
spec = {
entryPoints = ["websecure"]
routes = [{
terminal: cut over to multi-session lobby on terminal.viktorbarzin.me Promotes the staged multi-session UX from term.viktorbarzin.me to the primary terminal.viktorbarzin.me hostname. `ttyd.service` on the DevVM moves to the same ExecStart that `ttyd-multi.service` was running: `/usr/local/bin/ttyd -W -a -t enableClipboard=true -I /usr/local/share/ttyd/index.html -p 7681 /usr/local/bin/tmux-attach.sh`. The lobby HTML supersedes the old per-user-attach index.html (ttyd-session.sh wrapper retired alongside). Terraform: retires the `terminal-multi` Service+Endpoints and the term.viktorbarzin.me ingress (Cloudflare DNS record for `term` is released by module deletion). The tmux-api Service+Endpoints stay, but its IngressRoute now matches terminal.viktorbarzin.me — same path-prefix specificity wins against the catch-all ingress. DevVM follow-up (applied manually as before — see files/devvm/README.md): restart ttyd to pick up the new unit, stop+disable ttyd-multi.service.
2026-05-13 16:34:11 +00:00
match = "Host(`terminal.viktorbarzin.me`) && PathPrefix(`/api/sessions/`)"
terminal: add multi-tmux-session lobby on term.viktorbarzin.me (additive) New hostname term.viktorbarzin.me serves a session-picker UI that lists, creates, and kills tmux sessions. Visiting ?arg=<name> attaches to that session (auto-creates via tmux -A). Builds on a fresh ttyd instance (7685) plus a tmux-api Go binary (7684) on the DevVM, both running as User=wizard alongside (not replacing) the existing ttyd.service (7681), ttyd-ro.service (7682), and clipboard-upload (7683). Cutover of terminal.viktorbarzin.me to the multi-session setup is deferred. Terraform diff is purely additive — terminal-multi/tmux-api Service + Endpoints + ingress_multi (term.viktorbarzin.me, Authentik-gated) + an IngressRoute that path-prefixes /api/sessions/* to tmux-api with the matching strip-prefix Middleware. DevVM-side units ship under files/devvm/ with a README — manual scp + systemctl install (see files/devvm/README.md). ttyd 1.7.7 already deployed there (≥1.7 needed for -a). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-13 15:24:04 +00:00
kind = "Rule"
middlewares = [
{
name = "authentik-forward-auth"
namespace = "traefik"
},
{
name = "tmux-api-strip-prefix"
namespace = kubernetes_namespace.terminal.metadata[0].name
}
]
services = [{
name = "tmux-api"
port = 80
}]
}]
tls = {
secretName = var.tls_secret_name
}
}
}
}
resource "kubernetes_manifest" "tmux_api_strip_prefix" {
manifest = {
apiVersion = "traefik.io/v1alpha1"
kind = "Middleware"
metadata = {
name = "tmux-api-strip-prefix"
namespace = kubernetes_namespace.terminal.metadata[0].name
}
spec = {
stripPrefix = {
prefixes = ["/api/sessions"]
}
}
}
}
ci: retrigger apply for pending Keel enrollment (~58 stacks) Bulk enrollment commit 8f4b1956 had its CI pipeline #689 killed before terragrunt apply ran. The enrollment label + V2 lifecycle changes are in master but never reached the cluster. Appending a one-line marker to each pending stack's main.tf so Woodpecker's diff-detection picks them up and applies them serially. Idempotent — re-applying a stack whose state already matches is a no-op. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-16 13:42:57 +00:00
terminal: probe + alerts after Traefik replica routing-table skew User reported "site loads but failed to connect on the tmux session". Root cause was a Traefik replica (traefik-db7696fbf-ktjjz) that came up missing the kubernetes_ingress-derived router for terminal.viktorbarzin.me — only the IngressRoute CRDs registered. About 1/3 of /token preflight requests landed on that replica and got 404 with router="-", and WS upgrades intermittently failed the same way, so the lobby iframe stayed stuck on "Failed to connect. Retrying...". `kubectl delete pod` on the bad replica restored the missing router and unblocked the user. This commit adds the long-term mitigation: stacks/terminal/main.tf - kubernetes_cron_job_v1.webterminal_probe runs every 5min, hits /token + /ws via Cloudflare and the in-cluster ttyd Service, pushes 4 gauges to Pushgateway (token_status, ws_status, ttyd_status, last_success_timestamp). Verified the probe end-to-end: token=302 ws=302 ttyd=200 ok=1 stacks/monitoring/modules/monitoring/prometheus_chart_values.tpl - Webterminal group: WebterminalTokenDegraded (warning, 10m), WebterminalWebsocketDegraded (critical, 10m), WebterminalTtydUnreachable (critical, 10m), WebterminalProbeStale (warning, 15m). - Traefik Router Parity group: TraefikRouterCountSkew fires when any Traefik replica's router count diverges from siblings for >10m — catches the same class of issue cluster-wide, not just for terminal. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-17 10:04:26 +00:00
# =============================================================================
# Webterminal probe (added 2026-05-17 after a Traefik replica came up with a
# partial routing table — only the IngressRoute CRDs registered; the
# kubernetes_ingress for terminal.viktorbarzin.me was missing, so ~70% of
# /token requests routed to that replica returned 404 with router="-". The
# lobby's WebSocket retry loop kept the user stuck on "Failed to connect.
# Retrying..." because Cloudflare → that replica → 404 broke /token and the
# /ws upgrade intermittently.
#
# The probe exercises the full external path (Cloudflare → Traefik → ttyd
# Service) every 5 minutes and pushes 4 gauges to Pushgateway:
# webterminal_probe_token_status — HTTP status of GET /token (want 302)
# webterminal_probe_ws_status — HTTP status of WS upgrade /ws (want 302)
# webterminal_probe_ttyd_status — In-cluster ttyd /token (want 200)
# webterminal_probe_last_success_timestamp — Unix ts of last fully-OK run
#
# Alerts live in monitoring/prometheus_chart_values.tpl group "Webterminal".
# =============================================================================
resource "kubernetes_cron_job_v1" "webterminal_probe" {
metadata {
name = "webterminal-probe"
namespace = kubernetes_namespace.terminal.metadata[0].name
}
spec {
concurrency_policy = "Forbid"
failed_jobs_history_limit = 3
successful_jobs_history_limit = 1
schedule = "*/5 * * * *"
job_template {
metadata {}
spec {
backoff_limit = 1
ttl_seconds_after_finished = 600
template {
metadata {
labels = {
app = "webterminal-probe"
}
}
spec {
restart_policy = "OnFailure"
container {
name = "probe"
image = "docker.io/library/alpine:3.20"
image_pull_policy = "IfNotPresent"
resources {
requests = {
cpu = "10m"
memory = "32Mi"
}
limits = {
memory = "96Mi"
}
}
env {
name = "TARGET_HOST"
value = "terminal.viktorbarzin.me"
}
env {
name = "PUSHGATEWAY"
value = "http://prometheus-prometheus-pushgateway.monitoring:9091/metrics/job/webterminal-probe"
}
command = ["/bin/sh", "-c", <<-EOT
set -u
apk add --no-cache curl python3 >/dev/null 2>&1
# Probe 1 — HTTP GET /token (Cloudflare → Traefik → ttyd).
# Without an Authentik cookie the response MUST be 302
# (forward-auth redirect). 404 means a Traefik router is
# missing on the replica that received the request.
TOKEN_STATUS=$(curl -sk -o /dev/null -w "%%{http_code}" \
--max-time 10 \
"https://$${TARGET_HOST}/token?arg=probe" || echo 0)
# Probe 2 — WebSocket upgrade to /ws. Same expectation: 302.
# 404 here is what produced "Failed to connect" in the lobby
# iframe. Use Python for a true Upgrade request — curl's
# synthetic upgrade headers don't always trigger the WS path
# through every Cloudflare POP.
WS_STATUS=$(python3 - <<'PYEOF' 2>/dev/null || echo 0
import ssl, socket, base64, os
try:
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
ctx.set_alpn_protocols(["http/1.1"])
sock = socket.create_connection((os.environ["TARGET_HOST"], 443), timeout=10)
ssock = ctx.wrap_socket(sock, server_hostname=os.environ["TARGET_HOST"])
key = base64.b64encode(os.urandom(16)).decode()
req = (
"GET /ws?arg=probe HTTP/1.1\r\n"
f"Host: {os.environ['TARGET_HOST']}\r\n"
"Upgrade: websocket\r\n"
"Connection: Upgrade\r\n"
f"Sec-WebSocket-Key: {key}\r\n"
"Sec-WebSocket-Version: 13\r\n"
"Sec-WebSocket-Protocol: tty\r\n"
f"Origin: https://{os.environ['TARGET_HOST']}\r\n"
"\r\n"
)
ssock.sendall(req.encode())
ssock.settimeout(5)
data = ssock.recv(2048)
ssock.close()
first = data.split(b"\r\n")[0].decode("ascii", "ignore")
parts = first.split()
print(parts[1] if len(parts) >= 2 and parts[1].isdigit() else 0)
except Exception:
print(0)
PYEOF
)
# Probe 3 — ttyd Service ClusterIP. Bypasses Cloudflare /
# Traefik / Authentik so we can tell whether the failure mode
# is "ttyd down" vs "edge proxy misrouting".
TTYD_STATUS=$(curl -s -o /dev/null -w "%%{http_code}" \
--max-time 5 -H "X-authentik-username: probe" \
"http://terminal.terminal.svc.cluster.local/token" || echo 0)
OK=0
if [ "$$TOKEN_STATUS" = "302" ] && [ "$$WS_STATUS" = "302" ] && [ "$$TTYD_STATUS" = "200" ]; then
OK=1
fi
NOW=$(date +%s)
cat <<METRICS | curl -sf --max-time 10 --data-binary @- "$$PUSHGATEWAY" >/dev/null 2>&1 || true
# HELP webterminal_probe_token_status HTTP status from GET /token via Cloudflare.
# TYPE webterminal_probe_token_status gauge
webterminal_probe_token_status $${TOKEN_STATUS:-0}
# HELP webterminal_probe_ws_status HTTP status from WebSocket upgrade /ws via Cloudflare.
# TYPE webterminal_probe_ws_status gauge
webterminal_probe_ws_status $${WS_STATUS:-0}
# HELP webterminal_probe_ttyd_status HTTP status from in-cluster ttyd /token.
# TYPE webterminal_probe_ttyd_status gauge
webterminal_probe_ttyd_status $${TTYD_STATUS:-0}
# HELP webterminal_probe_last_success_timestamp Unix ts of last fully-OK probe.
# TYPE webterminal_probe_last_success_timestamp gauge
webterminal_probe_last_success_timestamp $$([ "$$OK" = "1" ] && echo "$$NOW" || echo 0)
METRICS
echo "probe: token=$${TOKEN_STATUS} ws=$${WS_STATUS} ttyd=$${TTYD_STATUS} ok=$${OK}"
EOT
]
}
}
}
}
}
}
}
ci: retrigger apply for pending Keel enrollment (~58 stacks) Bulk enrollment commit 8f4b1956 had its CI pipeline #689 killed before terragrunt apply ran. The enrollment label + V2 lifecycle changes are in master but never reached the cluster. Appending a one-line marker to each pending stack's main.tf so Woodpecker's diff-detection picks them up and applies them serially. Idempotent — re-applying a stack whose state already matches is a no-op. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-16 13:42:57 +00:00
# CI retrigger 2026-05-16T13:42:57+00:00 — bulk enrollment apply (pipeline #689 killed)
ci: retrigger v2 — apply pending Keel-enrolled stacks (#697 was cancelled by #698)
2026-05-16 13:46:35 +00:00
# CI retrigger v2 2026-05-16T13:46:35+00:00
Reference in a new issue Copy permalink