forgejo: open native self-signups, gated by Turnstile + email confirmation
All checks were successful
ci/woodpecker/push/default Pipeline was successful
All checks were successful
ci/woodpecker/push/default Pipeline was successful
Viktor wants Forgejo open for anyone to sign up, but without bot/spam
account floods. Flip the deployment from OAuth-only registration
(ALLOW_ONLY_EXTERNAL_REGISTRATION=true) to allowing native local
sign-up, and add two bot gates on the registration form:
- Cloudflare Turnstile captcha (CAPTCHA_TYPE=cfturnstile). The widget
is managed in Terraform (turnstile.tf) via the CF Global API key, so
the sitekey/secret are IaC, not a dashboard artifact.
- Mandatory email confirmation (REGISTER_EMAIL_CONFIRM=true). Wire the
Forgejo mailer to the cluster mailserver as noreply@viktorbarzin.me
(mail.viktorbarzin.me:587 STARTTLS), reusing the same Vault-sourced
credential Authentik uses (email-secret.tf ESO -> secret/authentik
smtp_password).
Existing Authentik OAuth2 login is unchanged (additive). Deployment env
appended (not inserted) so the diff stays purely additive; a reloader
annotation rolls the pod on secret rotation.
Verified live: signup page renders the Turnstile widget, mailer delivers
a test message end-to-end, Forgejo healthy, plan-to-zero after apply.
Runbook: docs/runbooks/forgejo-open-signups.md
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin
parent
21dbd79ae4
commit
963e4fcdde
5 changed files with 292 additions and 3 deletions
31
stacks/forgejo/turnstile.tf
Normal file
31
stacks/forgejo/turnstile.tf
Normal file
|
|
@ -0,0 +1,31 @@
|
|||
# Cloudflare Turnstile widget guarding the open Forgejo signup form
|
||||
# (main.tf: FORGEJO__service__ENABLE_CAPTCHA + CAPTCHA_TYPE=cfturnstile).
|
||||
# Managed here so the sitekey/secret are IaC rather than a dashboard artifact.
|
||||
# The CF Global API Key (cloudflare_provider.tf) has account-wide access, so it
|
||||
# can manage Turnstile. The widget secret is sensitive and lands in TF state
|
||||
# (Tier-1 PG, encrypted at rest) — same trust level as the API key already in
|
||||
# state. Forgejo is non-proxied, but Turnstile is a client-side JS widget served
|
||||
# from challenges.cloudflare.com, so proxy status is irrelevant.
|
||||
data "cloudflare_accounts" "main" {}
|
||||
|
||||
resource "cloudflare_turnstile_widget" "forgejo_signup" {
|
||||
account_id = data.cloudflare_accounts.main.accounts[0].id
|
||||
name = "forgejo-signup"
|
||||
domains = ["forgejo.viktorbarzin.me"]
|
||||
# "managed" = Cloudflare adaptively decides whether to show an interactive
|
||||
# challenge; lowest friction for real users, strong against bots.
|
||||
mode = "managed"
|
||||
}
|
||||
|
||||
# Turnstile secret -> K8s Secret consumed by the Forgejo deployment via
|
||||
# secret_key_ref (FORGEJO__service__CF_TURNSTILE_SECRET). The sitekey is public
|
||||
# and passed as a plain env value in main.tf.
|
||||
resource "kubernetes_secret" "forgejo_turnstile" {
|
||||
metadata {
|
||||
name = "forgejo-turnstile"
|
||||
namespace = kubernetes_namespace.forgejo.metadata[0].name
|
||||
}
|
||||
data = {
|
||||
"cf-turnstile-secret" = cloudflare_turnstile_widget.forgejo_signup.secret
|
||||
}
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue