viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/stacks/linkwarden/main.tf
Viktor Barzin 459b00fa74 infra/ingress_factory: add auth = "app" mode for self-authed backends 
Adds a fourth auth tier alongside required/public/none. "app" is
functionally identical to "none" — no Authentik middleware attached —
but the distinct name records intent at the call site: this backend
has its own user login (NextAuth, Django, OAuth, bearer-token API,
etc.) and Authentik would only break it.

Why the new tier: with only required/none, every "the app has its
own auth so drop Authentik" decision looked identical at the call
site to "this is an OAuth callback / webhook receiver / native-client
API". Future readers couldn't tell whether a stack was intentionally
unauthenticated or relying on backend auth. Now they can.

Migrates the 8 stacks flipped earlier this session (novelapp, immich,
linkwarden, tandoor, freshrss, affine, actualbudget, ebooks/audiobookshelf)
from "none" to "app". Confirmed no-op: `tg plan` on novelapp showed
"No changes" — same middleware chain, same live state.

The variable description and the .claude/CLAUDE.md Auth section now
spell out the anti-exposure rule: only pick "app" or "none" AFTER
verifying the app has its own user auth ("app") or the endpoint is
intentionally public ("none"). Default stays "required" so accidental
omission fails closed.

[ci skip]
2026-05-11 18:59:20 +00:00

251 lines
6.4 KiB
HCL
Raw Blame History

variable "tls_secret_name" {
type = string
sensitive = true
}
variable "postgresql_host" { type = string }
data "vault_kv_secret_v2" "secrets" {
mount = "secret"
name = "linkwarden"
}
locals {
homepage_credentials = jsondecode(data.vault_kv_secret_v2.secrets.data["homepage_credentials"])
}
resource "kubernetes_namespace" "linkwarden" {
metadata {
name = "linkwarden"
labels = {
tier = local.tiers.aux
}
}
lifecycle {
# KYVERNO_LIFECYCLE_V1: goldilocks-vpa-auto-mode ClusterPolicy stamps this label on every namespace
ignore_changes = [metadata[0].labels["goldilocks.fairwinds.com/vpa-update-mode"]]
}
}
resource "kubernetes_manifest" "external_secret" {
manifest = {
apiVersion = "external-secrets.io/v1beta1"
kind = "ExternalSecret"
metadata = {
name = "linkwarden-secrets"
namespace = "linkwarden"
}
spec = {
refreshInterval = "15m"
secretStoreRef = {
name = "vault-kv"
kind = "ClusterSecretStore"
}
target = {
name = "linkwarden-secrets"
}
dataFrom = [{
extract = {
key = "linkwarden"
}
}]
}
}
depends_on = [kubernetes_namespace.linkwarden]
}
# DB credentials from Vault database engine (rotated every 24h)
resource "kubernetes_manifest" "db_external_secret" {
manifest = {
apiVersion = "external-secrets.io/v1beta1"
kind = "ExternalSecret"
metadata = {
name = "linkwarden-db-creds"
namespace = "linkwarden"
}
spec = {
refreshInterval = "15m"
secretStoreRef = {
name = "vault-database"
kind = "ClusterSecretStore"
}
target = {
name = "linkwarden-db-creds"
template = {
metadata = {
annotations = {
"reloader.stakater.com/match" = "true"
}
}
data = {
DATABASE_URL = "postgresql://linkwarden:{{ .password }}@${var.postgresql_host}:5432/linkwarden"
DB_PASSWORD = "{{ .password }}"
}
}
}
data = [{
secretKey = "password"
remoteRef = {
key = "static-creds/pg-linkwarden"
property = "password"
}
}]
}
}
depends_on = [kubernetes_namespace.linkwarden]
}
module "tls_secret" {
source = "../../modules/kubernetes/setup_tls_secret"
namespace = kubernetes_namespace.linkwarden.metadata[0].name
tls_secret_name = var.tls_secret_name
}
resource "random_string" "secret" {
length = 32
special = true
override_special = "/@£$"
}
resource "kubernetes_deployment" "linkwarden" {
metadata {
name = "linkwarden"
namespace = kubernetes_namespace.linkwarden.metadata[0].name
labels = {
app = "linkwarden"
tier = local.tiers.aux
}
annotations = {
"reloader.stakater.com/search" = "true"
}
}
spec {
replicas = 1
selector {
match_labels = {
app = "linkwarden"
}
}
template {
metadata {
labels = {
app = "linkwarden"
}
annotations = {
"diun.enable" = "true"
"diun.include_tags" = "^v?\\d+\\.\\d+\\.\\d+$"
"dependency.kyverno.io/wait-for" = "postgresql.dbaas:5432"
}
}
spec {
container {
image = "ghcr.io/linkwarden/linkwarden:v2.14.0"
name = "linkwarden"
port {
container_port = 3000
}
env {
name = "DATABASE_URL"
value_from {
secret_key_ref {
name = "linkwarden-db-creds"
key = "DATABASE_URL"
}
}
}
env {
name = "NEXT_PUBLIC_AUTHENTIK_ENABLED"
value = "true"
}
env {
name = "NEXTAUTH_SECRET"
value = random_string.secret.result
}
env {
name = "NEXTAUTH_URL"
value = "https://linkwarden.viktorbarzin.me/api/v1/auth"
}
env {
name = "AUTHENTIK_ISSUER"
value = "https://authentik.viktorbarzin.me/application/o/linkwarden"
}
env {
name = "AUTHENTIK_CLIENT_ID"
value_from {
secret_key_ref {
name = "linkwarden-secrets"
key = "authentik_client_id"
}
}
}
env {
name = "AUTHENTIK_CLIENT_SECRET"
value_from {
secret_key_ref {
name = "linkwarden-secrets"
key = "authentik_client_secret"
}
}
}
resources {
requests = {
cpu = "50m"
memory = "1Gi"
}
limits = {
memory = "1Gi"
}
}
}
}
}
}
lifecycle {
# KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
ignore_changes = [spec[0].template[0].spec[0].dns_config]
}
}
resource "kubernetes_service" "linkwarden" {
metadata {
name = "linkwarden"
namespace = kubernetes_namespace.linkwarden.metadata[0].name
labels = {
app = "linkwarden"
}
}
spec {
selector = {
app = "linkwarden"
}
port {
name = "linkwarden"
port = 80
target_port = 3000
}
}
}
module "ingress" {
source = "../../modules/kubernetes/ingress_factory"
# auth = "app": Linkwarden uses NextAuth (NEXTAUTH_SECRET/URL set above)
# and exposes /api/* for its mobile clients. Authentik forward-auth would
# 302 those callers; app-level NextAuth gates users.
auth = "app"
dns_type = "proxied"
namespace = kubernetes_namespace.linkwarden.metadata[0].name
name = "linkwarden"
tls_secret_name = var.tls_secret_name
extra_annotations = {
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "Linkwarden"
"gethomepage.dev/description" = "Bookmark manager"
"gethomepage.dev/icon" = "linkwarden.png"
"gethomepage.dev/group" = "Productivity"
"gethomepage.dev/pod-selector" = ""
"gethomepage.dev/widget.type" = "linkwarden"
"gethomepage.dev/widget.url" = "http://linkwarden.linkwarden.svc.cluster.local"
"gethomepage.dev/widget.key" = local.homepage_credentials["linkwarden"]["api_key"]
}
}
Reference in a new issue View git blame Copy permalink