stacks/tasks: new stack for the tasks PWA (Authentik-gated, CNPG-backed)
Deploys the Reminders-style tasks app at tasks.viktorbarzin.me: namespace, ExternalSecrets (fernet_key from secret/tasks; TASKS_DB_DSN composed from the pg-tasks static-creds password the tripit way), single-replica Deployment of ghcr.io/viktorbarzin/tasks:latest (image ignore_changes per the fleet set-image pattern; Reloader restarts it on the 7-day DB password rotation; /healthz probes on 8000; Europe/Sofia local tz; DEV_USER deliberately absent — security invariant), Service on 8000, and an ingress_factory host with auth=required + dns_type=proxied since Authentik forward-auth is the app's only gate. NetworkPolicy tasks-ingress (SEC-1) limits pod ingress to the traefik namespace plus monitoring on 8000 for /metrics, so the trusted X-authentik-username header cannot be spoofed by other pods. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
parent
e0db1054e7
commit
02640df620
2 changed files with 367 additions and 0 deletions
23
stacks/tasks/terragrunt.hcl
Normal file
23
stacks/tasks/terragrunt.hcl
Normal file
|
|
@ -0,0 +1,23 @@
|
|||
include "root" {
|
||||
path = find_in_parent_folders()
|
||||
}
|
||||
|
||||
dependency "platform" {
|
||||
config_path = "../platform"
|
||||
skip_outputs = true
|
||||
}
|
||||
|
||||
dependency "vault" {
|
||||
config_path = "../vault"
|
||||
skip_outputs = true
|
||||
}
|
||||
|
||||
dependency "external-secrets" {
|
||||
config_path = "../external-secrets"
|
||||
skip_outputs = true
|
||||
}
|
||||
|
||||
inputs = {
|
||||
# Override per-deploy in CI / commit.
|
||||
image_tag = "latest"
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue