2 Commits

Author SHA1 Message Date
Will Anderson 627d448f6f fix ci-base: install Node 20 via binary tarball instead of nodesource apt
nodesource setup_20.x on Ubuntu 24.04 installs Ubuntu's nodejs 18 (no npm)
instead of Node 20. Binary tarball is reliable and includes npm.
2026-05-04 15:48:12 -05:00
Will Anderson baae9b289a fix: drop bogus letsencrypt certResolver from dharma IngressRoute
Traefik has no certificate resolver named 'letsencrypt' configured (this
cluster terminates TLS at Cloudflare and uses Traefik's default cert via
the websecure entrypoint, matching every other neuron-prod IngressRoute).

The invalid certResolver caused Traefik to refuse the router with:
  ERR Router uses a nonexistent certificate resolver
    certificateResolver=letsencrypt routerName=neuron-prod-dharma-...

so requests to dharma.neurontechnologies.ai/health surfaced as 502 from
Cloudflare even though the dharma pod was healthy on :8765.
2026-05-04 14:37:32 -05:00
-42
View File
@@ -1,42 +0,0 @@
# Cloudflare Zero Trust Access — git.neuralplatform.ai (Gitea)
#
# The Gitea Access application itself is currently managed in the Cloudflare
# dashboard, NOT in Terraform. This file only manages the *service token* the
# Gitea Actions runners use to authenticate through CF Access while still
# keeping the human Google-OAuth gate for browser users.
#
# Why not import the application here?
# - Importing the existing dashboard app risks drifting the human-auth
# policy (Google IdP, allowed emails) which is settled and working.
# - Service tokens can be added to a dashboard-managed app without
# importing the app itself; the token resource lives at the account
# level and is referenced from a policy.
# - We pay only the cost we need to. If we later want all Access apps
# in TF we can do a focused import pass.
#
# After `terraform apply` produces the token id/secret, Will must:
# 1. Run `vault kv put secret/gitea-runner-cf-access ...` (see outputs).
# 2. In the Cloudflare dashboard, edit the existing "Gitea" Access
# application's policies and add a new policy:
# Action: Service Auth (decision = non_identity)
# Include: Service Token = "gitea-runner"
# This grants the service token bypass through CF Access on
# git.neuralplatform.ai without changing the human-auth flow.
resource "cloudflare_zero_trust_access_service_token" "gitea_runner" {
account_id = var.cloudflare_account_id
name = "gitea-runner"
# Default duration is "8760h" (1 year). Rotate via re-apply when needed.
duration = "forever"
}
output "gitea_runner_cf_access_client_id" {
description = "CF Access service token client ID for the Gitea Actions runner. Store in Vault at secret/gitea-runner-cf-access."
value = cloudflare_zero_trust_access_service_token.gitea_runner.client_id
}
output "gitea_runner_cf_access_client_secret" {
description = "CF Access service token client secret. Store in Vault at secret/gitea-runner-cf-access. Only emitted at creation time."
value = cloudflare_zero_trust_access_service_token.gitea_runner.client_secret
sensitive = true
}