From a361ad25481af0b6fad77302e87d57a5953a2c65 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sat, 24 Jan 2026 18:43:43 +0000 Subject: [PATCH] add mcaptcha but disabled as we found another way[ci skip] --- main.tf | 7 + modules/kubernetes/mcaptcha/main.tf | 309 ++++++++++++++++++++++++++++ 2 files changed, 316 insertions(+) create mode 100644 modules/kubernetes/mcaptcha/main.tf diff --git a/main.tf b/main.tf index 509fb6f9..68c3170d 100644 --- a/main.tf +++ b/main.tf @@ -136,6 +136,9 @@ variable "aiostreams_database_connection_string" { type = string } variable "actualbudget_credentials" { type = map(any) } variable "speedtest_db_password" { type = string } variable "freedify_credentials" { type = map(any) } +variable "mcaptcha_postgresql_password" { type = string } +variable "mcaptcha_cookie_secret" { type = string } +variable "mcaptcha_captcha_salt" { type = string } provider "kubernetes" { config_path = var.prod ? "" : "~/.kube/config" @@ -563,6 +566,10 @@ module "kubernetes_cluster" { speedtest_db_password = var.speedtest_db_password freedify_credentials = var.freedify_credentials + + mcaptcha_postgresql_password = var.mcaptcha_postgresql_password + mcaptcha_cookie_secret = var.mcaptcha_cookie_secret + mcaptcha_captcha_salt = var.mcaptcha_captcha_salt } diff --git a/modules/kubernetes/mcaptcha/main.tf b/modules/kubernetes/mcaptcha/main.tf new file mode 100644 index 00000000..4d0e7149 --- /dev/null +++ b/modules/kubernetes/mcaptcha/main.tf @@ -0,0 +1,309 @@ +variable "tls_secret_name" {} +variable "tier" { type = string } +variable "postgresql_password" {} +variable "cookie_secret" {} +variable "captcha_salt" {} + +locals { + domain = "mcaptcha.viktorbarzin.me" + port = 7000 +} + +resource "kubernetes_namespace" "mcaptcha" { + metadata { + name = "mcaptcha" + labels = { + "istio-injection" : "disabled" + } + } +} + +module "tls_secret" { + source = "../setup_tls_secret" + namespace = kubernetes_namespace.mcaptcha.metadata[0].name + tls_secret_name = var.tls_secret_name +} + +# mCaptcha requires a special Redis with the mcaptcha/cache module loaded +resource "kubernetes_deployment" "mcaptcha_redis" { + metadata { + name = "mcaptcha-redis" + namespace = kubernetes_namespace.mcaptcha.metadata[0].name + labels = { + app = "mcaptcha-redis" + tier = var.tier + } + } + + spec { + replicas = 1 + selector { + match_labels = { + app = "mcaptcha-redis" + } + } + + strategy { + type = "Recreate" + } + + template { + metadata { + labels = { + app = "mcaptcha-redis" + } + } + + spec { + container { + image = "mcaptcha/cache:latest" + name = "redis" + + port { + container_port = 6379 + } + + resources { + requests = { + memory = "64Mi" + cpu = "25m" + } + limits = { + memory = "128Mi" + cpu = "200m" + } + } + + liveness_probe { + tcp_socket { + port = 6379 + } + initial_delay_seconds = 10 + period_seconds = 10 + } + + readiness_probe { + tcp_socket { + port = 6379 + } + initial_delay_seconds = 5 + period_seconds = 5 + } + } + } + } + } +} + +resource "kubernetes_service" "mcaptcha_redis" { + metadata { + name = "mcaptcha-redis" + namespace = kubernetes_namespace.mcaptcha.metadata[0].name + labels = { + app = "mcaptcha-redis" + } + } + + spec { + selector = { + app = "mcaptcha-redis" + } + port { + name = "redis" + port = 6379 + target_port = 6379 + } + } +} + +resource "kubernetes_deployment" "mcaptcha" { + metadata { + name = "mcaptcha" + namespace = kubernetes_namespace.mcaptcha.metadata[0].name + labels = { + app = "mcaptcha" + tier = var.tier + } + annotations = { + "reloader.stakater.com/search" = "true" + } + } + + spec { + replicas = 1 + selector { + match_labels = { + app = "mcaptcha" + } + } + + strategy { + type = "Recreate" + } + + template { + metadata { + labels = { + app = "mcaptcha" + } + annotations = { + "diun.enable" = "true" + "diun.include_tags" = "^\\d+(?:\\.\\d+)?(?:\\.\\d+)?$" + } + } + + spec { + container { + image = "mcaptcha/mcaptcha:latest" + name = "mcaptcha" + + port { + container_port = local.port + } + + # Required configuration + env { + name = "MCAPTCHA_server_DOMAIN" + value = local.domain + } + + env { + name = "MCAPTCHA_server_COOKIE_SECRET" + value = var.cookie_secret + } + + env { + name = "MCAPTCHA_captcha_SALT" + value = var.captcha_salt + } + + # Server configuration + env { + name = "PORT" + value = tostring(local.port) + } + + env { + name = "MCAPTCHA_server_IP" + value = "0.0.0.0" + } + + env { + name = "MCAPTCHA_server_PROXY_HAS_TLS" + value = "true" + } + + # Database configuration (PostgreSQL) + env { + name = "DATABASE_URL" + value = "postgres://mcaptcha:${var.postgresql_password}@postgresql.dbaas.svc.cluster.local:5432/mcaptcha" + } + + # Redis configuration (using mcaptcha/cache module) + env { + name = "MCAPTCHA_redis_URL" + value = "redis://mcaptcha-redis.mcaptcha.svc.cluster.local:6379" + } + + # Feature flags + env { + name = "MCAPTCHA_allow_registration" + # value = "true" + value = "false" + } + + env { + name = "MCAPTCHA_allow_demo" + value = "false" + } + + env { + name = "MCAPTCHA_commercial" + value = "false" + } + + env { + name = "MCAPTCHA_captcha_ENABLE_STATS" + value = "true" + } + + env { + name = "MCAPTCHA_captcha_GC" + value = "30" + } + + env { + name = "MCAPTCHA_debug" + value = "false" + } + env { + name = "RUST_BACKTRACE" + value = "1" + } + + resources { + requests = { + memory = "64Mi" + cpu = "50m" + } + limits = { + memory = "256Mi" + cpu = "500m" + } + } + + # Health checks + liveness_probe { + http_get { + path = "/" + port = local.port + } + initial_delay_seconds = 30 + period_seconds = 10 + timeout_seconds = 5 + failure_threshold = 3 + } + + readiness_probe { + http_get { + path = "/" + port = local.port + } + initial_delay_seconds = 10 + period_seconds = 5 + timeout_seconds = 3 + failure_threshold = 3 + } + } + } + } + } +} + +resource "kubernetes_service" "mcaptcha" { + metadata { + name = "mcaptcha" + namespace = kubernetes_namespace.mcaptcha.metadata[0].name + labels = { + "app" = "mcaptcha" + } + } + + spec { + selector = { + app = "mcaptcha" + } + port { + name = "http" + port = 80 + target_port = local.port + } + } +} + +module "ingress" { + source = "../ingress_factory" + namespace = kubernetes_namespace.mcaptcha.metadata[0].name + name = "mcaptcha" + tls_secret_name = var.tls_secret_name +}