infra/stacks/forgejo/turnstile.tf

# Cloudflare Turnstile widget guarding the open Forgejo signup form
# (main.tf: FORGEJO__service__ENABLE_CAPTCHA + CAPTCHA_TYPE=cfturnstile).
# Managed here so the sitekey/secret are IaC rather than a dashboard artifact.
# The CF Global API Key (cloudflare_provider.tf) has account-wide access, so it
# can manage Turnstile. The widget secret is sensitive and lands in TF state
# (Tier-1 PG, encrypted at rest) — same trust level as the API key already in
# state. Forgejo is non-proxied, but Turnstile is a client-side JS widget served
# from challenges.cloudflare.com, so proxy status is irrelevant.
data "cloudflare_accounts" "main" {}

resource "cloudflare_turnstile_widget" "forgejo_signup" {
  account_id = data.cloudflare_accounts.main.accounts[0].id
  name       = "forgejo-signup"
  domains    = ["forgejo.viktorbarzin.me"]
  # "managed" = Cloudflare adaptively decides whether to show an interactive
  # challenge; lowest friction for real users, strong against bots.
  mode = "managed"
}

# Turnstile secret -> K8s Secret consumed by the Forgejo deployment via
# secret_key_ref (FORGEJO__service__CF_TURNSTILE_SECRET). The sitekey is public
# and passed as a plain env value in main.tf.
resource "kubernetes_secret" "forgejo_turnstile" {
  metadata {
    name      = "forgejo-turnstile"
    namespace = kubernetes_namespace.forgejo.metadata[0].name
  }
  data = {
    "cf-turnstile-secret" = cloudflare_turnstile_widget.forgejo_signup.secret
  }
}
forgejo: open native self-signups, gated by Turnstile + email confirmation Viktor wants Forgejo open for anyone to sign up, but without bot/spam account floods. Flip the deployment from OAuth-only registration (ALLOW_ONLY_EXTERNAL_REGISTRATION=true) to allowing native local sign-up, and add two bot gates on the registration form: - Cloudflare Turnstile captcha (CAPTCHA_TYPE=cfturnstile). The widget is managed in Terraform (turnstile.tf) via the CF Global API key, so the sitekey/secret are IaC, not a dashboard artifact. - Mandatory email confirmation (REGISTER_EMAIL_CONFIRM=true). Wire the Forgejo mailer to the cluster mailserver as noreply@viktorbarzin.me (mail.viktorbarzin.me:587 STARTTLS), reusing the same Vault-sourced credential Authentik uses (email-secret.tf ESO -> secret/authentik smtp_password). Existing Authentik OAuth2 login is unchanged (additive). Deployment env appended (not inserted) so the diff stays purely additive; a reloader annotation rolls the pod on secret rotation. Verified live: signup page renders the Turnstile widget, mailer delivers a test message end-to-end, Forgejo healthy, plan-to-zero after apply. Runbook: docs/runbooks/forgejo-open-signups.md Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-19 16:05:07 +00:00			`# Cloudflare Turnstile widget guarding the open Forgejo signup form`
			`# (main.tf: FORGEJO__service__ENABLE_CAPTCHA + CAPTCHA_TYPE=cfturnstile).`
			`# Managed here so the sitekey/secret are IaC rather than a dashboard artifact.`
			`# The CF Global API Key (cloudflare_provider.tf) has account-wide access, so it`
			`# can manage Turnstile. The widget secret is sensitive and lands in TF state`
			`# (Tier-1 PG, encrypted at rest) — same trust level as the API key already in`
			`# state. Forgejo is non-proxied, but Turnstile is a client-side JS widget served`
			`# from challenges.cloudflare.com, so proxy status is irrelevant.`
			`data "cloudflare_accounts" "main" {}`

			`resource "cloudflare_turnstile_widget" "forgejo_signup" {`
			`account_id = data.cloudflare_accounts.main.accounts[0].id`
			`name = "forgejo-signup"`
			`domains = ["forgejo.viktorbarzin.me"]`
			`# "managed" = Cloudflare adaptively decides whether to show an interactive`
			`# challenge; lowest friction for real users, strong against bots.`
			`mode = "managed"`
			`}`

			`# Turnstile secret -> K8s Secret consumed by the Forgejo deployment via`
			`# secret_key_ref (FORGEJO__service__CF_TURNSTILE_SECRET). The sitekey is public`
			`# and passed as a plain env value in main.tf.`
			`resource "kubernetes_secret" "forgejo_turnstile" {`
			`metadata {`
			`name = "forgejo-turnstile"`
			`namespace = kubernetes_namespace.forgejo.metadata[0].name`
			`}`
			`data = {`
			`"cf-turnstile-secret" = cloudflare_turnstile_widget.forgejo_signup.secret`
			`}`
			`}`