Add terminal stack - reverse proxy to ttyd behind authentik

Exposes ttyd at 10.0.10.10:7681 via terminal.viktorbarzin.me with Cloudflare DNS and Authentik forward-auth protection.
2026-03-10 23:46:01 +00:00 · 2026-03-10 23:46:01 +00:00 · 0d3ef78f3a
commit 0d3ef78f3a
parent 6b494b70dd
6 changed files with 128 additions and 0 deletions
--- a/config.tfvars
+++ b/config.tfvars
--- a/stacks/terminal/main.tf
+++ b/stacks/terminal/main.tf
@ -0,0 +1,72 @@
+variable "tls_secret_name" {
+  type      = string
+  sensitive = true
+}
+
+resource "kubernetes_namespace" "terminal" {
+  metadata {
+    name = "terminal"
+    labels = {
+      "istio-injection" : "disabled"
+      tier = local.tiers.aux
+    }
+  }
+}
+
+module "tls_secret" {
+  source          = "../../modules/kubernetes/setup_tls_secret"
+  namespace       = kubernetes_namespace.terminal.metadata[0].name
+  tls_secret_name = var.tls_secret_name
+}
+
+# Service + Endpoints to reverse-proxy to ttyd at 10.0.10.10:7681
+resource "kubernetes_service" "terminal" {
+  metadata {
+    name      = "terminal"
+    namespace = kubernetes_namespace.terminal.metadata[0].name
+    labels = {
+      app = "terminal"
+    }
+  }
+
+  spec {
+    port {
+      name        = "http"
+      port        = 80
+      target_port = 7681
+    }
+  }
+}
+
+resource "kubernetes_endpoints" "terminal" {
+  metadata {
+    name      = "terminal"
+    namespace = kubernetes_namespace.terminal.metadata[0].name
+  }
+
+  subset {
+    address {
+      ip = "10.0.10.10"
+    }
+    port {
+      name = "http"
+      port = 7681
+    }
+  }
+}
+
+module "ingress" {
+  source          = "../../modules/kubernetes/ingress_factory"
+  namespace       = kubernetes_namespace.terminal.metadata[0].name
+  name            = "terminal"
+  tls_secret_name = var.tls_secret_name
+  protected       = true
+  extra_annotations = {
+    "gethomepage.dev/enabled"      = "true"
+    "gethomepage.dev/name"         = "Terminal"
+    "gethomepage.dev/description"  = "Web terminal (ttyd)"
+    "gethomepage.dev/icon"         = "mdi-console"
+    "gethomepage.dev/group"        = "Infrastructure"
+    "gethomepage.dev/pod-selector" = ""
+  }
+}
--- a/stacks/terminal/secrets/fullchain.pem
+++ b/stacks/terminal/secrets/fullchain.pem
@ -0,0 +1,48 @@
+-----BEGIN CERTIFICATE-----
+MIIDlTCCAxqgAwIBAgISBvDIlLwpDZs2hEwZWeUvq4gVMAoGCCqGSM49BAMDMDIx
+CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
+NzAeFw0yNjAyMTQyMzA2NDZaFw0yNjA1MTUyMzA2NDVaMBoxGDAWBgNVBAMTD3Zp
+a3RvcmJhcnppbi5tZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABP8GrH0I0dUB
+clgDenQcFQAqje+eg6ZS2YGe2vjbDsZFiBOqepISPrDSnBNq7CLNtMm9flr+ldw7
+ghs4N1j/ajajggImMIICIjAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYB
+BQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUxAtiVrnp8HhoPacayElIikSS
+2RcwHwYDVR0jBBgwFoAUrkie3IcdRKBv2qLlYHQEeMKcAIAwMgYIKwYBBQUHAQEE
+JjAkMCIGCCsGAQUFBzAChhZodHRwOi8vZTcuaS5sZW5jci5vcmcvMC0GA1UdEQQm
+MCSCESoudmlrdG9yYmFyemluLm1lgg92aWt0b3JiYXJ6aW4ubWUwEwYDVR0gBAww
+CjAIBgZngQwBAgEwLQYDVR0fBCYwJDAioCCgHoYcaHR0cDovL2U3LmMubGVuY3Iu
+b3JnLzIyLmNybDCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3AEmcm2neHXzs/Dbe
+zYdkprhbrwqHgBnRVVL76esp3fjDAAABnF6dqlAAAAQDAEgwRgIhALqavwUJGHOp
+9rIvPmeAbd14fR2kVjrmmwPKqVnwraD3AiEAiBH8UfmcdE2NULHHEQWqsXNzSay7
+weQAH6ysTwXt8sgAdQCWl2S/VViXrfdDh2g3CEJ36fA61fak8zZuRqQ/D8qpxgAA
+AZxenaqPAAAEAwBGMEQCIAvcxs2nNTNSnz8+AGVlZRYCeY+ADSqFGXtzgx/rtAGF
+AiAs7PTDnFtrNuY6UeprX9WXBCVWiJcefFCSIwgRvsMjzzAKBggqhkjOPQQDAwNp
+ADBmAjEA1wgegFLHC/MZJt7hYaYfvdaECgoAIwgnHQXYgP9eaB5SVDpRGcJWVQLT
+iLR2KEv0AjEA8ajBRm579Mv4WzYROi14Cy5cLaMwyZV5ZfRWLYhIdouLxzsXlgh5
+HmaIfzUQHaWe
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEVzCCAj+gAwIBAgIRAKp18eYrjwoiCWbTi7/UuqEwDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw
+WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDELMAkGA1UEAxMCRTcwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARB6AST
+CFh/vjcwDMCgQer+VtqEkz7JANurZxLP+U9TCeioL6sp5Z8VRvRbYk4P1INBmbef
+QHJFHCxcSjKmwtvGBWpl/9ra8HW0QDsUaJW2qOJqceJ0ZVFT3hbUHifBM/2jgfgw
+gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
+ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSuSJ7chx1EoG/aouVgdAR4
+wpwAgDAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB
+AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g
+BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu
+Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAjx66fDdLk5ywFn3CzA1w1qfylHUD
+aEf0QZpXcJseddJGSfbUUOvbNR9N/QQ16K1lXl4VFyhmGXDT5Kdfcr0RvIIVrNxF
+h4lqHtRRCP6RBRstqbZ2zURgqakn/Xip0iaQL0IdfHBZr396FgknniRYFckKORPG
+yM3QKnd66gtMst8I5nkRQlAg/Jb+Gc3egIvuGKWboE1G89NTsN9LTDD3PLj0dUMr
+OIuqVjLB8pEC6yk9enrlrqjXQgkLEYhXzq7dLafv5Vkig6Gl0nuuqjqfp0Q1bi1o
+yVNAlXe6aUXw92CcghC9bNsKEO1+M52YY5+ofIXlS/SEQbvVYYBLZ5yeiglV6t3S
+M6H+vTG0aP9YHzLn/KVOHzGQfXDP7qM5tkf+7diZe7o2fw6O7IvN6fsQXEQQj8TJ
+UXJxv2/uJhcuy/tSDgXwHM8Uk34WNbRT7zGTGkQRX0gsbjAea/jYAoWv0ZvQRwpq
+Pe79D/i7Cep8qWnA+7AE/3B3S/3dEEYmc0lpe1366A/6GEgk3ktr9PEoQrLChs6I
+tu3wnNLB2euC8IKGLQFpGtOO/2/hiAKjyajaBP25w1jF0Wl8Bbqne3uZ2q1GyPFJ
+YRmT7/OXpmOH/FVLtwS+8ng1cAmpCujPwteJZNcDG0sF2n/sc0+SQf49fdyUK0ty
+VUwFj9tmWxyR/M=
+-----END CERTIFICATE-----
--- a/stacks/terminal/secrets/privkey.pem
+++ b/stacks/terminal/secrets/privkey.pem
@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgWwcmcU+mLlFDxrKh
+Iy7RRghYkNr/MdLEwcePoe1vUWKhRANCAAT/Bqx9CNHVAXJYA3p0HBUAKo3vnoOm
+UtmBntr42w7GRYgTqnqSEj6w0pwTauwizbTJvX5a/pXcO4IbODdY/2o2
+-----END PRIVATE KEY-----
--- a/stacks/terminal/terragrunt.hcl
+++ b/stacks/terminal/terragrunt.hcl
@ -0,0 +1,3 @@
+include "root" {
+  path = find_in_parent_folders()
+}
--- a/terraform.tfvars
+++ b/terraform.tfvars