ff5538a667
Phase 3+4 of default-deny ingress plan. Replaces the `protected = bool` (default
false → unprotected) variable in `modules/kubernetes/ingress_factory` with
`auth = string` enum (default "required" → fail-closed). Touches every
ingress_factory caller so the audit decision is recorded explicitly in code.
ingress_factory (Phase 3):
- `auth = "required"`: standard Authentik forward-auth (the legacy
`protected = true` semantic).
- `auth = "public"`: forward-auth via the new `authentik-forward-auth-public`
middleware → dedicated public outpost → guest auto-bind. Logged-in users
keep their real identity.
- `auth = "none"`: no Authentik middleware. For Anubis-fronted content, native
client APIs (Git, /v2/, WebDAV), webhook receivers, the Authentik outpost
itself.
- `effective_anti_ai` default flips ON only when `auth = "none"` (auth-gated
ingresses don't need anti-AI noise; the auth flow already discourages bots).
Audit pass (Phase 4) across 96 ingress_factory call sites:
- 49 explicit `protected = true` → `auth = "required"`
- 8 explicit `protected = false` → `auth = "none"` (5) or `auth = "public"` (3)
- 64 previously-default (no protected line) → `auth = "required"` ADDED, then
reviewed individually:
* 9 Anubis-fronted (blog, www, kms, travel, f1, cyberchef, jsoncrack,
homepage, wrongmove UI, privatebin) → `auth = "none"`
* 22 native-client / programmatic surfaces (Forgejo Git+/v2/, webhook
handler, claude-memory MCP, Nextcloud WebDAV, Matrix, Vault CLI/OIDC,
xray VPN, ntfy, woodpecker webhooks, n8n triggers, ntfy push, dawarich
location ingestion, immich frame kiosk, headscale CP, send anonymous
drops, rybbit beacon, vaultwarden API, Authentik UI itself + outposts) →
`auth = "none"`
* Remaining ~33 → `auth = "required"` confirmed (admin tools, internal
UIs, services without app-level auth)
- Smoke-test promotions to `auth = "public"`: fire-planner public UI,
k8s-portal API, insta2spotify callback.
Three call sites in wrapper modules (`stacks/freedify/factory/`,
`stacks/reverse-proxy/modules/reverse_proxy/`) keep their internal `protected`
bool — they translate to `auth` internally, out of scope for this rename.
Behavior change: previously-default ingresses now fail closed (require
Authentik login) unless explicitly flipped to `auth = "none"` or
`auth = "public"`. This is the audit goal — no more accidentally-unprotected
surfaces. Sites that were intentionally public (Anubis content, native APIs,
webhooks) are now explicitly recorded as `auth = "none"`.
Drive-by: `modules/create-vm/main.tf` picked up cosmetic alignment via
`terraform fmt -recursive` during the audit. Behavior-neutral.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
406 lines
10 KiB
HCL
406 lines
10 KiB
HCL
variable "tls_secret_name" {
|
|
type = string
|
|
sensitive = true
|
|
}
|
|
variable "nfs_server" { type = string }
|
|
variable "postgresql_host" { type = string }
|
|
|
|
module "tls_secret" {
|
|
source = "../../modules/kubernetes/setup_tls_secret"
|
|
namespace = kubernetes_namespace.n8n.metadata[0].name
|
|
tls_secret_name = var.tls_secret_name
|
|
}
|
|
|
|
resource "kubernetes_namespace" "n8n" {
|
|
metadata {
|
|
name = "n8n"
|
|
labels = {
|
|
tier = local.tiers.aux
|
|
}
|
|
}
|
|
lifecycle {
|
|
# KYVERNO_LIFECYCLE_V1: goldilocks-vpa-auto-mode ClusterPolicy stamps this label on every namespace
|
|
ignore_changes = [metadata[0].labels["goldilocks.fairwinds.com/vpa-update-mode"]]
|
|
}
|
|
}
|
|
|
|
resource "kubernetes_manifest" "external_secret" {
|
|
manifest = {
|
|
apiVersion = "external-secrets.io/v1beta1"
|
|
kind = "ExternalSecret"
|
|
metadata = {
|
|
name = "n8n-secrets"
|
|
namespace = "n8n"
|
|
}
|
|
spec = {
|
|
refreshInterval = "15m"
|
|
secretStoreRef = {
|
|
name = "vault-kv"
|
|
kind = "ClusterSecretStore"
|
|
}
|
|
target = {
|
|
name = "n8n-secrets"
|
|
}
|
|
dataFrom = [{
|
|
extract = {
|
|
key = "n8n"
|
|
}
|
|
}]
|
|
}
|
|
}
|
|
depends_on = [kubernetes_namespace.n8n]
|
|
}
|
|
|
|
resource "kubernetes_manifest" "external_secret_claude_agent" {
|
|
manifest = {
|
|
apiVersion = "external-secrets.io/v1beta1"
|
|
kind = "ExternalSecret"
|
|
metadata = {
|
|
name = "claude-agent-token"
|
|
namespace = "n8n"
|
|
}
|
|
spec = {
|
|
refreshInterval = "15m"
|
|
secretStoreRef = {
|
|
name = "vault-kv"
|
|
kind = "ClusterSecretStore"
|
|
}
|
|
target = {
|
|
name = "claude-agent-token"
|
|
}
|
|
data = [{
|
|
secretKey = "api_bearer_token"
|
|
remoteRef = {
|
|
key = "claude-agent-service"
|
|
property = "api_bearer_token"
|
|
}
|
|
}]
|
|
}
|
|
}
|
|
depends_on = [kubernetes_namespace.n8n]
|
|
}
|
|
|
|
# Shared secrets for the Immich → Telegram → Postiz Instagram pipeline.
|
|
# Workflows in stacks/n8n/workflows/instagram-*.json reference these env vars.
|
|
resource "kubernetes_manifest" "external_secret_instagram_pipeline" {
|
|
manifest = {
|
|
apiVersion = "external-secrets.io/v1beta1"
|
|
kind = "ExternalSecret"
|
|
metadata = {
|
|
name = "instagram-pipeline-secrets"
|
|
namespace = "n8n"
|
|
}
|
|
spec = {
|
|
refreshInterval = "15m"
|
|
secretStoreRef = {
|
|
name = "vault-kv"
|
|
kind = "ClusterSecretStore"
|
|
}
|
|
target = {
|
|
name = "instagram-pipeline-secrets"
|
|
}
|
|
data = [
|
|
{
|
|
secretKey = "telegram_bot_token"
|
|
remoteRef = { key = "instagram-poster", property = "telegram_bot_token" }
|
|
},
|
|
{
|
|
secretKey = "telegram_chat_id"
|
|
remoteRef = { key = "instagram-poster", property = "telegram_chat_id" }
|
|
},
|
|
{
|
|
secretKey = "immich_api_key"
|
|
remoteRef = { key = "instagram-poster", property = "immich_api_key" }
|
|
},
|
|
]
|
|
}
|
|
}
|
|
depends_on = [kubernetes_namespace.n8n]
|
|
}
|
|
|
|
resource "kubernetes_persistent_volume_claim" "data_encrypted" {
|
|
wait_until_bound = false
|
|
metadata {
|
|
name = "n8n-data-encrypted"
|
|
namespace = kubernetes_namespace.n8n.metadata[0].name
|
|
annotations = {
|
|
"resize.topolvm.io/threshold" = "80%"
|
|
"resize.topolvm.io/increase" = "100%"
|
|
"resize.topolvm.io/storage_limit" = "5Gi"
|
|
}
|
|
}
|
|
spec {
|
|
access_modes = ["ReadWriteOnce"]
|
|
storage_class_name = "proxmox-lvm-encrypted"
|
|
resources {
|
|
requests = {
|
|
storage = "1Gi"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
# --- RBAC: Allow n8n to exec into OpenClaw pods for task execution ---
|
|
|
|
resource "kubernetes_service_account" "n8n" {
|
|
metadata {
|
|
name = "n8n"
|
|
namespace = kubernetes_namespace.n8n.metadata[0].name
|
|
}
|
|
}
|
|
|
|
resource "kubernetes_role" "n8n_openclaw_exec" {
|
|
metadata {
|
|
name = "n8n-openclaw-exec"
|
|
namespace = "openclaw"
|
|
}
|
|
rule {
|
|
api_groups = [""]
|
|
resources = ["pods"]
|
|
verbs = ["get", "list"]
|
|
}
|
|
rule {
|
|
api_groups = [""]
|
|
resources = ["pods/exec"]
|
|
verbs = ["create"]
|
|
}
|
|
}
|
|
|
|
resource "kubernetes_role_binding" "n8n_openclaw_exec" {
|
|
metadata {
|
|
name = "n8n-openclaw-exec"
|
|
namespace = "openclaw"
|
|
}
|
|
subject {
|
|
kind = "ServiceAccount"
|
|
name = kubernetes_service_account.n8n.metadata[0].name
|
|
namespace = kubernetes_namespace.n8n.metadata[0].name
|
|
}
|
|
role_ref {
|
|
api_group = "rbac.authorization.k8s.io"
|
|
kind = "Role"
|
|
name = kubernetes_role.n8n_openclaw_exec.metadata[0].name
|
|
}
|
|
}
|
|
|
|
resource "kubernetes_deployment" "n8n" {
|
|
metadata {
|
|
name = "n8n"
|
|
namespace = kubernetes_namespace.n8n.metadata[0].name
|
|
labels = {
|
|
app = "n8n"
|
|
tier = local.tiers.aux
|
|
}
|
|
annotations = {
|
|
"reloader.stakater.com/auto" = "true"
|
|
}
|
|
}
|
|
spec {
|
|
replicas = 1
|
|
strategy {
|
|
type = "Recreate"
|
|
}
|
|
selector {
|
|
match_labels = {
|
|
app = "n8n"
|
|
}
|
|
}
|
|
template {
|
|
metadata {
|
|
labels = {
|
|
app = "n8n"
|
|
}
|
|
annotations = {
|
|
"diun.enable" = "true"
|
|
"diun.include_tags" = "^\\d+\\.\\d+\\.\\d+$"
|
|
"dependency.kyverno.io/wait-for" = "postgresql.dbaas:5432"
|
|
}
|
|
}
|
|
spec {
|
|
service_account_name = kubernetes_service_account.n8n.metadata[0].name
|
|
container {
|
|
name = "n8n"
|
|
image = "docker.n8n.io/n8nio/n8n:1.80.0"
|
|
env {
|
|
name = "N8N_PORT"
|
|
value = "5678"
|
|
}
|
|
env {
|
|
name = "DB_TYPE"
|
|
value = "postgresdb"
|
|
}
|
|
env {
|
|
name = "DB_POSTGRESDB_DATABASE"
|
|
value = "n8n"
|
|
}
|
|
env {
|
|
name = "DB_POSTGRESDB_HOST"
|
|
value = var.postgresql_host
|
|
}
|
|
env {
|
|
name = "DB_POSTGRESDB_PORT"
|
|
value = "5432"
|
|
}
|
|
env {
|
|
name = "DB_POSTGRESDB_USER"
|
|
value = "n8n"
|
|
}
|
|
env {
|
|
name = "DB_POSTGRESDB_PASSWORD"
|
|
value_from {
|
|
secret_key_ref {
|
|
name = "n8n-secrets"
|
|
key = "db_password"
|
|
}
|
|
}
|
|
}
|
|
env {
|
|
name = "GENERIC_TIMEZONE"
|
|
value = "Europe/Sofia"
|
|
}
|
|
env {
|
|
name = "TZ"
|
|
value = "Europe/Sofia"
|
|
}
|
|
env {
|
|
name = "DOMAIN_NAME"
|
|
value = "viktorbarzin.me"
|
|
}
|
|
env {
|
|
name = "DOMAIN_NAME"
|
|
value = "n8n"
|
|
}
|
|
env {
|
|
name = "N8N_EDITOR_BASE_URL"
|
|
value = "https://n8n.viktorbarzin.me"
|
|
}
|
|
env {
|
|
name = "WEBHOOK_URL"
|
|
value = "https://n8n.viktorbarzin.me"
|
|
}
|
|
env {
|
|
name = "CLAUDE_AGENT_API_TOKEN"
|
|
value_from {
|
|
secret_key_ref {
|
|
name = "claude-agent-token"
|
|
key = "api_bearer_token"
|
|
}
|
|
}
|
|
}
|
|
env {
|
|
name = "N8N_BLOCK_ENV_ACCESS_IN_NODE"
|
|
value = "false"
|
|
}
|
|
# Instagram pipeline env (consumed by workflows in
|
|
# stacks/n8n/workflows/instagram-*.json).
|
|
env {
|
|
name = "TELEGRAM_BOT_TOKEN"
|
|
value_from {
|
|
secret_key_ref {
|
|
name = "instagram-pipeline-secrets"
|
|
key = "telegram_bot_token"
|
|
}
|
|
}
|
|
}
|
|
env {
|
|
name = "TELEGRAM_CHAT_ID"
|
|
value_from {
|
|
secret_key_ref {
|
|
name = "instagram-pipeline-secrets"
|
|
key = "telegram_chat_id"
|
|
}
|
|
}
|
|
}
|
|
env {
|
|
name = "IMMICH_API_KEY"
|
|
value_from {
|
|
secret_key_ref {
|
|
name = "instagram-pipeline-secrets"
|
|
key = "immich_api_key"
|
|
}
|
|
}
|
|
}
|
|
env {
|
|
name = "IMMICH_BASE_URL"
|
|
value = "https://immich.viktorbarzin.me"
|
|
}
|
|
env {
|
|
name = "INSTAGRAM_POSTER_INTERNAL_URL"
|
|
value = "http://instagram-poster.instagram-poster.svc.cluster.local"
|
|
}
|
|
env {
|
|
name = "PUBLIC_INSTAGRAM_POSTER_URL"
|
|
value = "https://instagram-poster.viktorbarzin.me"
|
|
}
|
|
volume_mount {
|
|
name = "data"
|
|
mount_path = "/home/node/.n8n"
|
|
}
|
|
port {
|
|
name = "http"
|
|
container_port = 5678
|
|
protocol = "TCP"
|
|
}
|
|
resources {
|
|
requests = {
|
|
cpu = "25m"
|
|
memory = "1Gi"
|
|
}
|
|
limits = {
|
|
memory = "1Gi"
|
|
}
|
|
}
|
|
}
|
|
volume {
|
|
name = "data"
|
|
persistent_volume_claim {
|
|
claim_name = kubernetes_persistent_volume_claim.data_encrypted.metadata[0].name
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
lifecycle {
|
|
# KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
|
|
ignore_changes = [spec[0].template[0].spec[0].dns_config]
|
|
}
|
|
}
|
|
|
|
resource "kubernetes_service" "n8n" {
|
|
metadata {
|
|
name = "n8n"
|
|
namespace = kubernetes_namespace.n8n.metadata[0].name
|
|
labels = {
|
|
"app" = "n8n"
|
|
}
|
|
}
|
|
|
|
spec {
|
|
selector = {
|
|
app = "n8n"
|
|
}
|
|
port {
|
|
port = "80"
|
|
target_port = "5678"
|
|
}
|
|
}
|
|
}
|
|
module "ingress" {
|
|
source = "../../modules/kubernetes/ingress_factory"
|
|
# n8n hosts webhook endpoints at /webhook/... (WEBHOOK_URL points here);
|
|
# external services POST to trigger workflows. Forward-auth would block
|
|
# every webhook trigger. n8n has its own user login + per-webhook auth.
|
|
auth = "none"
|
|
dns_type = "proxied"
|
|
namespace = kubernetes_namespace.n8n.metadata[0].name
|
|
name = "n8n"
|
|
tls_secret_name = var.tls_secret_name
|
|
extra_annotations = {
|
|
"gethomepage.dev/enabled" = "true"
|
|
"gethomepage.dev/name" = "n8n"
|
|
"gethomepage.dev/description" = "Workflow automation"
|
|
"gethomepage.dev/icon" = "n8n.png"
|
|
"gethomepage.dev/group" = "Automation"
|
|
"gethomepage.dev/pod-selector" = ""
|
|
}
|
|
}
|