ff5538a667
Phase 3+4 of default-deny ingress plan. Replaces the `protected = bool` (default
false → unprotected) variable in `modules/kubernetes/ingress_factory` with
`auth = string` enum (default "required" → fail-closed). Touches every
ingress_factory caller so the audit decision is recorded explicitly in code.
ingress_factory (Phase 3):
- `auth = "required"`: standard Authentik forward-auth (the legacy
`protected = true` semantic).
- `auth = "public"`: forward-auth via the new `authentik-forward-auth-public`
middleware → dedicated public outpost → guest auto-bind. Logged-in users
keep their real identity.
- `auth = "none"`: no Authentik middleware. For Anubis-fronted content, native
client APIs (Git, /v2/, WebDAV), webhook receivers, the Authentik outpost
itself.
- `effective_anti_ai` default flips ON only when `auth = "none"` (auth-gated
ingresses don't need anti-AI noise; the auth flow already discourages bots).
Audit pass (Phase 4) across 96 ingress_factory call sites:
- 49 explicit `protected = true` → `auth = "required"`
- 8 explicit `protected = false` → `auth = "none"` (5) or `auth = "public"` (3)
- 64 previously-default (no protected line) → `auth = "required"` ADDED, then
reviewed individually:
* 9 Anubis-fronted (blog, www, kms, travel, f1, cyberchef, jsoncrack,
homepage, wrongmove UI, privatebin) → `auth = "none"`
* 22 native-client / programmatic surfaces (Forgejo Git+/v2/, webhook
handler, claude-memory MCP, Nextcloud WebDAV, Matrix, Vault CLI/OIDC,
xray VPN, ntfy, woodpecker webhooks, n8n triggers, ntfy push, dawarich
location ingestion, immich frame kiosk, headscale CP, send anonymous
drops, rybbit beacon, vaultwarden API, Authentik UI itself + outposts) →
`auth = "none"`
* Remaining ~33 → `auth = "required"` confirmed (admin tools, internal
UIs, services without app-level auth)
- Smoke-test promotions to `auth = "public"`: fire-planner public UI,
k8s-portal API, insta2spotify callback.
Three call sites in wrapper modules (`stacks/freedify/factory/`,
`stacks/reverse-proxy/modules/reverse_proxy/`) keep their internal `protected`
bool — they translate to `auth` internally, out of scope for this rename.
Behavior change: previously-default ingresses now fail closed (require
Authentik login) unless explicitly flipped to `auth = "none"` or
`auth = "public"`. This is the audit goal — no more accidentally-unprotected
surfaces. Sites that were intentionally public (Anubis content, native APIs,
webhooks) are now explicitly recorded as `auth = "none"`.
Drive-by: `modules/create-vm/main.tf` picked up cosmetic alignment via
`terraform fmt -recursive` during the audit. Behavior-neutral.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
||
|---|---|---|
| .. | ||
| files | ||
| main.tf | ||
| README.md | ||
| terragrunt.hcl | ||
chrome-service
In-cluster headed Chromium exposed over Playwright's WebSocket protocol.
Sibling services drive it instead of running their own in-process browser
— useful when the upstream tries to detect headless mode (e.g. hmembeds'
disable-devtool.js redirect-to-google trap).
Connect
from playwright.async_api import async_playwright
WS_URL = "ws://chrome-service.chrome-service.svc.cluster.local:3000"
WS_TOKEN = os.environ["CHROME_WS_TOKEN"] # 32-byte URL-safe random
async with async_playwright() as p:
browser = await p.chromium.connect(f"{WS_URL}/{WS_TOKEN}", timeout=15_000)
context = await browser.new_context()
await context.add_init_script(STEALTH_JS) # see files/stealth.js
page = await context.new_page()
...
await browser.close()
The token comes from Vault KV secret/chrome-service.api_bearer_token,
which ESO syncs into a per-namespace K8s Secret in each caller stack
(see f1-stream's chrome-service-client-secrets).
Add a new caller
- Label the caller's namespace so the chrome-service NetworkPolicy
admits it:
resource "kubernetes_namespace" "<ns>" { metadata { labels = { "chrome-service.viktorbarzin.me/client" = "true" } } } - Add an ExternalSecret in the caller stack pulling the token:
resource "kubernetes_manifest" "chrome_token" { manifest = { apiVersion = "external-secrets.io/v1beta1" kind = "ExternalSecret" metadata = { name = "chrome-service-client-secrets", namespace = "<ns>" } spec = { refreshInterval = "15m" secretStoreRef = { name = "vault-kv", kind = "ClusterSecretStore" } target = { name = "chrome-service-client-secrets" } dataFrom = [{ extract = { key = "chrome-service" } }] } } } - Inject
CHROME_WS_URL+CHROME_WS_TOKENinto the caller's pod env. Usesecret_key_reffor the token; the URL is a plain value. - Vendor
stealth.jsinto the caller (or just paste — it's ~40 lines) and apply viaawait context.add_init_script(STEALTH_JS)after everynew_context(). Without it, hmembeds-class anti-bot still trips.
Image pin
Both the server image (mcr.microsoft.com/playwright:v1.48.0-noble in
main.tf) and the client (playwright==1.48.0 in callers' requirements)
must match minor-versions. Bump in lockstep — Playwright protocol changes
between minors.
Operations
- Storage: encrypted PVC at
/profilefor cookies + npm cache. Ephemeral contexts (browser.new_context()) bypass the profile; persistent contexts share it. Backed up tar+gzip every 6h to/srv/nfs/chrome-service-backup/, 30-day retention. - Probes: TCP/3000. Playwright run-server has no HTTP
/health; a TCP open is the only liveness signal available without spinning a browser. - Health page: visit
https://chrome.viktorbarzin.me(Authentik-gated) to confirm the pod is up. The WS port stays internal-only. - Token rotation:
vault kv put secret/chrome-service api_bearer_token=$(python3 -c 'import secrets; print(secrets.token_urlsafe(32))'). Reloader cascades the rotation to both the server pod and any caller whose secret has thereloader.stakater.com/auto = "true"annotation.
Why headed (Xvfb) instead of headless?
disable-devtool.js and similar libraries detect navigator.webdriver,
console-clear timing, and the HeadlessChromium/... user-agent suffix.
Running headed inside Xvfb :99 reports as a normal Chromium, and the
stealth init script handles the JS-visible giveaways.