arcodange-org/webapp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: arcodange-org:84621ce12e2badabf6ce60b50d53cfe231baeb49
Branches Tags
arcodange-org:main
..
compare: arcodange-org:main
Branches Tags
arcodange-org:main

7 Commits
84621ce12e ... main

Author SHA1 Message Date
Gabriel Radureau
ca2800a5c9 try accepting self signed cert
All checks were successful
Docker Build / build-and-push-image (push) Successful in 1m32s
Details
2026-01-02 19:09:29 +01:00
Gabriel Radureau
9761996957 switch from duckdns.org to internal .lab dns
All checks were successful
Docker Build / build-and-push-image (push) Successful in 53s
Details
2026-01-01 15:03:06 +01:00
Gabriel Radureau
23c38fc813 allow both duckdns.org and .fr domains
All checks were successful
Docker Build / build-and-push-image (push) Successful in 4m25s
Details
2025-12-18 10:58:08 +01:00
Gabriel Radureau
1d3db54909 cloudflared webapp 2025-11-29 13:29:59 +01:00
Gabriel Radureau
70077c1956 update public ip - todo: replace with crowdsec middleware 2025-11-27 18:59:23 +01:00
Gabriel Radureau
cbceac786d log denied forwardedIp
All checks were successful
Docker Build / build-and-push-image (push) Successful in 1m31s
Details
2025-08-27 19:53:38 +02:00
Gabriel Radureau
ae3eed3ff8 temporary fix: hardcode allowed ip instead of using traefik middleware 2025-08-07 15:33:38 +02:00
8 changed files with 92 additions and 41 deletions
Expand all files Collapse all files

6
.gitea/workflows/dockerimage.yaml
View File

@@ -23,7 +23,7 @@ jobs:
- name: Login to Gitea Container Registry
uses: docker/login-action@v3
with:
registry: gitea.arcodange.duckdns.org
registry: gitea.arcodange.lab
username: ${{ github.actor }}
password: ${{ secrets.PACKAGES_TOKEN }}
@@ -35,7 +35,7 @@ jobs:
TAGS="latest ${{ github.ref_name }}"
docker build -t app .
for TAG in $TAGS; do
docker tag app gitea.arcodange.duckdns.org/${{ github.repository }}:$TAG
docker push gitea.arcodange.duckdns.org/${{ github.repository }}:$TAG
docker tag app gitea.arcodange.lab/${{ github.repository }}:$TAG
docker push gitea.arcodange.lab/${{ github.repository }}:$TAG
done

12
.gitea/workflows/vault.yaml
View File

@@ -16,10 +16,11 @@ concurrency:
.vault_step: &vault_step
name: read vault secret
uses: https://gitea.arcodange.duckdns.org/arcodange-org/vault-action.git@main
uses: https://gitea.arcodange.lab/arcodange-org/vault-action.git@main
id: vault-secrets
with:
url: https://vault.arcodange.duckdns.org
url: https://vault.arcodange.lab
caCertificate: ${{ secrets.HOMELAB_CA_CERT }}
jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
role: gitea_cicd_webapp
method: jwt
@@ -30,7 +31,7 @@ concurrency:
jobs:
gitea_vault_auth:
name: Auth with gitea for vault
runs-on: ubuntu-latest
runs-on: ubuntu-latest-ca
outputs:
gitea_vault_jwt: ${{steps.gitea_vault_jwt.outputs.id_token}}
steps:
@@ -44,13 +45,16 @@ jobs:
name: Tofu - Vault
needs:
- gitea_vault_auth
runs-on: ubuntu-latest
runs-on: ubuntu-latest-ca
env:
OPENTOFU_VERSION: 1.8.2
TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
VAULT_CACERT: "${{ github.workspace }}/homelab.pem"
steps:
- *vault_step
- uses: actions/checkout@v4
- name: prepare vault self signed cert
run: echo -n "${{ secrets.HOMELAB_CA_CERT }}" | base64 -d > $VAULT_CACERT
- name: terraform apply
uses: dflook/terraform-apply@v1
with:

4
chart/templates/config.yaml
View File

@@ -4,7 +4,7 @@ metadata:
name: {{ include "webapp.name" . }}-config
namespace: {{ .Release.Namespace }}
data:
OAUTH_ALLOWED_HOST: webapp.arcodange.duckdns.org
OAUTH_DEVICE_CODE_ALLOWED_IPS: 90.16.102.250,
OAUTH_ALLOWED_HOSTS: webapp.arcodange.lab,webapp.arcodange.fr
# OAUTH_DEVICE_CODE_ALLOWED_IPS: 86.238.234.54,
DATABASE_URL: postgres://pgbouncer_auth:pgbouncer_auth@pgbouncer.tools/postgres?sslmode=disable
# DATABASE_URL: postgres://username:password@localhost/dbname?sslmode=disable

25
chart/templates/localIngress.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
argocd.argoproj.io/tracking-id: webapp:networking.k8s.io/Ingress:webapp/webapp
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.middlewares: localIp@file
traefik.ingress.kubernetes.io/router.tls: 'true'
traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt
traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.lab
traefik.ingress.kubernetes.io/router.tls.domains.0.sans: webapp.arcodange.lab
name: webapp-local
namespace: webapp
spec:
rules:
- host: webapp.arcodange.lab
http:
paths:
- backend:
service:
name: webapp
port:
number: 8080
path: /
pathType: Prefix

29
chart/values.yaml
View File

@@ -5,7 +5,7 @@
replicaCount: 1
image:
repository: gitea.arcodange.duckdns.org/arcodange-org/webapp
repository: gitea.arcodange.lab/arcodange-org/webapp
pullPolicy: Always
# Overrides the image tag whose default is the chart appVersion.
tag: ""
@@ -47,18 +47,31 @@ ingress:
enabled: true
className: ""
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt
traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.duckdns.org
traefik.ingress.kubernetes.io/router.tls.domains.0.sans: webapp.arcodange.duckdns.org
traefik.ingress.kubernetes.io/router.middlewares: localIp@file
traefik.ingress.kubernetes.io/router.entrypoints: web
traefik.ingress.kubernetes.io/router.middlewares: kube-system-crowdsec@kubernetescrd
hosts:
- host: webapp.arcodange.duckdns.org
- host: webapp.arcodange.fr
paths:
- path: /
pathType: Prefix
tls: []
# ingress:
# enabled: true
# className: ""
# annotations:
# traefik.ingress.kubernetes.io/router.entrypoints: websecure
# traefik.ingress.kubernetes.io/router.tls: "true"
# traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt
# traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.lab
# traefik.ingress.kubernetes.io/router.tls.domains.0.sans: webapp.arcodange.lab
# traefik.ingress.kubernetes.io/router.middlewares: localIp@file
# hosts:
# - host: webapp.arcodange.lab
# paths:
# - path: /
# pathType: Prefix
# tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local

2
go.mod
View File

@@ -1,4 +1,4 @@
module gitea.arcodange.duckdns.org/arcodange-org/webapp
module gitea.arcodange.lab/arcodange-org/webapp
go 1.23

2
iac/providers.tf
View File

@@ -8,7 +8,7 @@ terraform {
}
provider vault {
address = "https://vault.arcodange.duckdns.org"
address = "https://vault.arcodange.lab"
auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
mount = "gitea_jwt"
role = "gitea_cicd_webapp"

27
main.go
View File

@@ -21,8 +21,11 @@ import (
var (
db *sql.DB // Global database connection
c = cache.New(5*time.Minute, 10*time.Minute)
oauthAllowedHost = os.Getenv("OAUTH_ALLOWED_HOST") // URL authorized for device code
oauthAllowedHosts = strings.Split(os.Getenv("OAUTH_ALLOWED_HOSTS"), ",") // authorized HOSTS for device code
oauthDeviceCodeAllowedIPs = strings.Split(os.Getenv("OAUTH_DEVICE_CODE_ALLOWED_IPS"), ",") // IPS autorisées pour /retrieve
_, localNetwork, _ = net.ParseCIDR("192.168.0.0/16")
_, localNetworkIPV6, _ = net.ParseCIDR("2a01:cb04:dff:cf00::/56")
_, k3sNetwork, _ = net.ParseCIDR("10.42.0.0/16")
)
// dbConnection initializes the database connection.
@@ -103,7 +106,7 @@ func indexHandler(w http.ResponseWriter, r *http.Request) {
</body>
</html>
`
fmt.Fprintf(w, tmpl)
fmt.Fprint(w, tmpl)
}
// selectHandler handles HTTP requests and executes a SQL query.
@@ -151,7 +154,7 @@ func oauth2_callback(w http.ResponseWriter, r *http.Request) {
// Vérifier le référent (ou origine)
hostHeader := strings.Trim(r.Header.Get("X-Forwarded-Host"), "[]")
if oauthAllowedHost != "" && hostHeader != oauthAllowedHost {
if len(oauthAllowedHosts) > 0 && !slices.Contains(oauthAllowedHosts, hostHeader) {
fmt.Fprintln(os.Stderr, "X-Forwarded-Host: "+hostHeader)
fmt.Fprintln(os.Stderr, "received headers")
for key, value := range r.Header {
@@ -283,11 +286,18 @@ func oauth2_callback(w http.ResponseWriter, r *http.Request) {
func retrieveHandler(w http.ResponseWriter, r *http.Request) {
// Récupérer l'IP de l'utilisateur
userIP, _, err := net.SplitHostPort(r.RemoteAddr)
userIPforwarded := r.Header.Get("X-Forwarded-For")
userIPforwarded := net.ParseIP(r.Header.Get("X-Forwarded-For"))
ip := userIPforwarded
if ip == nil {
ip = net.ParseIP(userIP)
}
if err != nil ||
!slices.Contains(oauthDeviceCodeAllowedIPs, userIP) &&
!slices.Contains(oauthDeviceCodeAllowedIPs, userIPforwarded) {
fmt.Fprintln(os.Stderr, "denied userIP: "+userIP)
!slices.Contains(oauthDeviceCodeAllowedIPs, ip.String()) &&
!localNetwork.Contains(ip) &&
!localNetworkIPV6.Contains(ip) &&
!k3sNetwork.Contains(ip) {
fmt.Fprintln(os.Stderr, "denied userIP: "+userIP+" forwarded: "+userIPforwarded.String())
fmt.Fprintf(os.Stderr, "alowed ips: %+v", oauthDeviceCodeAllowedIPs)
// Parcourir tous les headers
for name, values := range r.Header {
// name représente le nom de l'en-tête
@@ -479,7 +489,7 @@ func main() {
/*
Gitea doesn't come with device flow # https://github.com/go-gitea/gitea/issues/27309
https://gitea.arcodange.duckdns.org/.well-known/openid-configuration
https://gitea.arcodange.lab/.well-known/openid-configuration
"grant_types_supported": [
"authorization_code",
"refresh_token"
@@ -493,7 +503,6 @@ func main() {
http.HandleFunc("/retrieve", retrieveHandler)
http.HandleFunc("/test-oauth-callback", test_oauth2_callback)
// Start the HTTP server
port := ":8080"
log.Printf("Server starting on port %s\n", port)