Compare commits
4 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 2acf886d9f | |||
| cbb564ccf5 | |||
| be0508037a | |||
| 6f5d041440 |
@@ -0,0 +1,42 @@
|
||||
# Cloudflare Zero Trust Access — git.neuralplatform.ai (Gitea)
|
||||
#
|
||||
# The Gitea Access application itself is currently managed in the Cloudflare
|
||||
# dashboard, NOT in Terraform. This file only manages the *service token* the
|
||||
# Gitea Actions runners use to authenticate through CF Access while still
|
||||
# keeping the human Google-OAuth gate for browser users.
|
||||
#
|
||||
# Why not import the application here?
|
||||
# - Importing the existing dashboard app risks drifting the human-auth
|
||||
# policy (Google IdP, allowed emails) which is settled and working.
|
||||
# - Service tokens can be added to a dashboard-managed app without
|
||||
# importing the app itself; the token resource lives at the account
|
||||
# level and is referenced from a policy.
|
||||
# - We pay only the cost we need to. If we later want all Access apps
|
||||
# in TF we can do a focused import pass.
|
||||
#
|
||||
# After `terraform apply` produces the token id/secret, Will must:
|
||||
# 1. Run `vault kv put secret/gitea-runner-cf-access ...` (see outputs).
|
||||
# 2. In the Cloudflare dashboard, edit the existing "Gitea" Access
|
||||
# application's policies and add a new policy:
|
||||
# Action: Service Auth (decision = non_identity)
|
||||
# Include: Service Token = "gitea-runner"
|
||||
# This grants the service token bypass through CF Access on
|
||||
# git.neuralplatform.ai without changing the human-auth flow.
|
||||
|
||||
resource "cloudflare_zero_trust_access_service_token" "gitea_runner" {
|
||||
account_id = var.cloudflare_account_id
|
||||
name = "gitea-runner"
|
||||
# Default duration is "8760h" (1 year). Rotate via re-apply when needed.
|
||||
duration = "forever"
|
||||
}
|
||||
|
||||
output "gitea_runner_cf_access_client_id" {
|
||||
description = "CF Access service token client ID for the Gitea Actions runner. Store in Vault at secret/gitea-runner-cf-access."
|
||||
value = cloudflare_zero_trust_access_service_token.gitea_runner.client_id
|
||||
}
|
||||
|
||||
output "gitea_runner_cf_access_client_secret" {
|
||||
description = "CF Access service token client secret. Store in Vault at secret/gitea-runner-cf-access. Only emitted at creation time."
|
||||
value = cloudflare_zero_trust_access_service_token.gitea_runner.client_secret
|
||||
sensitive = true
|
||||
}
|
||||
@@ -29,11 +29,13 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
zstd \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
# Node.js 20 LTS — required to execute Forgejo JS actions (checkout, upload-artifact, cache, etc.)
|
||||
RUN curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \
|
||||
&& apt-get install -y nodejs \
|
||||
&& npm install -g yarn \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
# Node.js 20 LTS via binary tarball (nodesource apt repo is unreliable on Ubuntu 24.04)
|
||||
RUN NODE_VERSION=20.19.1 \
|
||||
&& curl -fsSL "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-x64.tar.xz" \
|
||||
| tar -xJ -C /usr/local --strip-components=1 \
|
||||
&& node --version \
|
||||
&& npm --version \
|
||||
&& npm install -g yarn
|
||||
|
||||
# Python 3 + pip + venv
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
|
||||
@@ -14,5 +14,6 @@ spec:
|
||||
services:
|
||||
- name: dharma
|
||||
port: 8765
|
||||
tls:
|
||||
certResolver: letsencrypt
|
||||
# TLS terminates at Cloudflare; tunnel reaches Traefik with noTLSVerify.
|
||||
# Traefik websecure entrypoint has its own default cert (no resolver
|
||||
# configured in this cluster), matching every other neuron-prod IngressRoute.
|
||||
|
||||
Reference in New Issue
Block a user