e4f806abe3
Phase 3+4 of default-deny ingress plan. Replaces the `protected = bool` (default
false → unprotected) variable in `modules/kubernetes/ingress_factory` with
`auth = string` enum (default "required" → fail-closed). Touches every
ingress_factory caller so the audit decision is recorded explicitly in code.
ingress_factory (Phase 3):
- `auth = "required"`: standard Authentik forward-auth (the legacy
`protected = true` semantic).
- `auth = "public"`: forward-auth via the new `authentik-forward-auth-public`
middleware → dedicated public outpost → guest auto-bind. Logged-in users
keep their real identity.
- `auth = "none"`: no Authentik middleware. For Anubis-fronted content, native
client APIs (Git, /v2/, WebDAV), webhook receivers, the Authentik outpost
itself.
- `effective_anti_ai` default flips ON only when `auth = "none"` (auth-gated
ingresses don't need anti-AI noise; the auth flow already discourages bots).
Audit pass (Phase 4) across 96 ingress_factory call sites:
- 49 explicit `protected = true` → `auth = "required"`
- 8 explicit `protected = false` → `auth = "none"` (5) or `auth = "public"` (3)
- 64 previously-default (no protected line) → `auth = "required"` ADDED, then
reviewed individually:
* 9 Anubis-fronted (blog, www, kms, travel, f1, cyberchef, jsoncrack,
homepage, wrongmove UI, privatebin) → `auth = "none"`
* 22 native-client / programmatic surfaces (Forgejo Git+/v2/, webhook
handler, claude-memory MCP, Nextcloud WebDAV, Matrix, Vault CLI/OIDC,
xray VPN, ntfy, woodpecker webhooks, n8n triggers, ntfy push, dawarich
location ingestion, immich frame kiosk, headscale CP, send anonymous
drops, rybbit beacon, vaultwarden API, Authentik UI itself + outposts) →
`auth = "none"`
* Remaining ~33 → `auth = "required"` confirmed (admin tools, internal
UIs, services without app-level auth)
- Smoke-test promotions to `auth = "public"`: fire-planner public UI,
k8s-portal API, insta2spotify callback.
Three call sites in wrapper modules (`stacks/freedify/factory/`,
`stacks/reverse-proxy/modules/reverse_proxy/`) keep their internal `protected`
bool — they translate to `auth` internally, out of scope for this rename.
Behavior change: previously-default ingresses now fail closed (require
Authentik login) unless explicitly flipped to `auth = "none"` or
`auth = "public"`. This is the audit goal — no more accidentally-unprotected
surfaces. Sites that were intentionally public (Anubis content, native APIs,
webhooks) are now explicitly recorded as `auth = "none"`.
Drive-by: `modules/create-vm/main.tf` picked up cosmetic alignment via
`terraform fmt -recursive` during the audit. Behavior-neutral.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
136 lines
3 KiB
HCL
136 lines
3 KiB
HCL
|
|
resource "kubernetes_config_map" "mailserver_config" {
|
|
metadata {
|
|
name = "config"
|
|
namespace = "immich"
|
|
|
|
labels = {
|
|
app = "frame-config"
|
|
}
|
|
annotations = {
|
|
"reloader.stakater.com/match" = "true"
|
|
}
|
|
}
|
|
|
|
data = {
|
|
# Actual mail settings
|
|
"Settings.yml" = <<-EOF
|
|
General:
|
|
Layout: single
|
|
Interval: 10
|
|
ImageZoom: false
|
|
ShowAlbumName: false
|
|
ShowProgressBar: false
|
|
Accounts:
|
|
- ImmichServerUrl: http://immich.viktorbarzin.me
|
|
ApiKey: ${data.vault_kv_secret_v2.secrets.data["frame_api_key"]}
|
|
Albums:
|
|
- 1aa98849-bbd5-452b-aac0-310b210a8597 # china
|
|
EOF
|
|
}
|
|
}
|
|
|
|
|
|
resource "kubernetes_deployment" "immich-frame" {
|
|
metadata {
|
|
name = "immich-frame"
|
|
namespace = "immich"
|
|
annotations = {
|
|
"reloader.stakater.com/search" = "true"
|
|
}
|
|
labels = {
|
|
tier = local.tiers.gpu
|
|
}
|
|
}
|
|
|
|
spec {
|
|
replicas = 1
|
|
selector {
|
|
match_labels = {
|
|
app = "immich-frame"
|
|
}
|
|
}
|
|
strategy {
|
|
type = "RollingUpdate"
|
|
}
|
|
template {
|
|
metadata {
|
|
labels = {
|
|
app = "immich-frame"
|
|
}
|
|
annotations = {
|
|
"dependency.kyverno.io/wait-for" = "immich-server.immich:2283"
|
|
}
|
|
}
|
|
spec {
|
|
container {
|
|
image = "ghcr.io/immichframe/immichframe:v1.0.32.0"
|
|
name = "immich-frame"
|
|
resources {
|
|
requests = {
|
|
cpu = "10m"
|
|
memory = "64Mi"
|
|
}
|
|
limits = {
|
|
memory = "128Mi"
|
|
}
|
|
}
|
|
port {
|
|
container_port = 8080
|
|
protocol = "TCP"
|
|
name = "http"
|
|
}
|
|
volume_mount {
|
|
name = "config"
|
|
mount_path = "/app/Config"
|
|
read_only = true
|
|
}
|
|
}
|
|
volume {
|
|
name = "config"
|
|
config_map {
|
|
name = "config"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
lifecycle {
|
|
# KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
|
|
ignore_changes = [spec[0].template[0].spec[0].dns_config]
|
|
}
|
|
}
|
|
|
|
|
|
resource "kubernetes_service" "immich-frame" {
|
|
metadata {
|
|
name = "immich-frame"
|
|
namespace = "immich"
|
|
labels = {
|
|
"app" = "immich-frame"
|
|
}
|
|
}
|
|
|
|
spec {
|
|
selector = {
|
|
app = "immich-frame"
|
|
}
|
|
port {
|
|
port = 80
|
|
target_port = 8080
|
|
}
|
|
}
|
|
}
|
|
|
|
module "ingress" {
|
|
source = "../../modules/kubernetes/ingress_factory"
|
|
# Photo-frame kiosk display — runs in headless browser mode on a TV/frame
|
|
# device and pulls images via an Immich API key (no user login). Forward-auth
|
|
# would 302 the device to Authentik with no way to complete login.
|
|
auth = "none"
|
|
dns_type = "proxied"
|
|
namespace = "immich"
|
|
name = "highlights-immich"
|
|
tls_secret_name = var.tls_secret_name
|
|
service_name = "immich-frame"
|
|
}
|