bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 14 Actions Packages Projects Releases Wiki Activity

fix(auth): harden public infra routes

Browse Source
This commit is contained in:
Andrew Stoltz
2026-06-04 13:20:16 -05:00
parent 81a3ddac4c
commit 90599b0413
15 changed files with 189 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
apps/andrew/andrew.yaml
View File

@@ -201,6 +201,8 @@ spec:
metadata:
labels:
app: andrew-web
annotations:
flowercore.io/healthz-auth-policy: "allow-anonymous"
spec:
containers:
- name: nginx
@@ -225,12 +227,18 @@ spec:
httpGet:
path: /healthz
port: 80
httpHeaders:
- name: X-Forwarded-Proto
value: https
initialDelaySeconds: 5
periodSeconds: 10
readinessProbe:
httpGet:
path: /healthz
port: 80
httpHeaders:
- name: X-Forwarded-Proto
value: https
initialDelaySeconds: 3
periodSeconds: 5
volumes:
@@ -265,7 +273,7 @@ spec:
entryPoints:
- websecure
routes:
- match: Host(`bluejay.dev`) || Host(`www.bluejay.dev`)
- match: (Host(`bluejay.dev`) || Host(`www.bluejay.dev`)) && (Method(`GET`) || Method(`HEAD`))
kind: Rule
services:
- name: andrew-web

10
apps/dustin/dustin.yaml
View File

@@ -201,6 +201,8 @@ spec:
metadata:
labels:
app: dustin-web
annotations:
flowercore.io/healthz-auth-policy: "allow-anonymous"
spec:
containers:
- name: nginx
@@ -225,12 +227,18 @@ spec:
httpGet:
path: /healthz
port: 80
httpHeaders:
- name: X-Forwarded-Proto
value: https
initialDelaySeconds: 5
periodSeconds: 10
readinessProbe:
httpGet:
path: /healthz
port: 80
httpHeaders:
- name: X-Forwarded-Proto
value: https
initialDelaySeconds: 3
periodSeconds: 5
volumes:
@@ -265,7 +273,7 @@ spec:
entryPoints:
- websecure
routes:
- match: Host(`timeforta.co`) || Host(`www.timeforta.co`)
- match: (Host(`timeforta.co`) || Host(`www.timeforta.co`)) && (Method(`GET`) || Method(`HEAD`))
kind: Rule
services:
- name: dustin-web

10
apps/erik/erik.yaml
View File

@@ -201,6 +201,8 @@ spec:
metadata:
labels:
app: erik-web
annotations:
flowercore.io/healthz-auth-policy: "allow-anonymous"
spec:
containers:
- name: nginx
@@ -225,12 +227,18 @@ spec:
httpGet:
path: /healthz
port: 80
httpHeaders:
- name: X-Forwarded-Proto
value: https
initialDelaySeconds: 5
periodSeconds: 10
readinessProbe:
httpGet:
path: /healthz
port: 80
httpHeaders:
- name: X-Forwarded-Proto
value: https
initialDelaySeconds: 3
periodSeconds: 5
volumes:
@@ -265,7 +273,7 @@ spec:
entryPoints:
- websecure
routes:
- match: Host(`erckak.dev`) || Host(`www.erckak.dev`)
- match: (Host(`erckak.dev`) || Host(`www.erckak.dev`)) && (Method(`GET`) || Method(`HEAD`))
kind: Rule
services:
- name: erik-web

12
apps/fc-landing/fc-landing.yaml
View File

@@ -203,6 +203,8 @@ spec:
metadata:
labels:
app: fc-landing
annotations:
flowercore.io/healthz-auth-policy: "allow-anonymous"
spec:
containers:
- name: nginx
@@ -227,12 +229,18 @@ spec:
httpGet:
path: /healthz
port: 80
httpHeaders:
- name: X-Forwarded-Proto
value: https
initialDelaySeconds: 5
periodSeconds: 10
readinessProbe:
httpGet:
path: /healthz
port: 80
httpHeaders:
- name: X-Forwarded-Proto
value: https
initialDelaySeconds: 3
periodSeconds: 5
volumes:
@@ -298,7 +306,7 @@ spec:
entryPoints:
- websecure
routes:
- match: Host(`flowercore.io`) || Host(`www.flowercore.io`)
- match: (Host(`flowercore.io`) || Host(`www.flowercore.io`)) && (Method(`GET`) || Method(`HEAD`))
kind: Rule
services:
- name: fc-landing
@@ -316,7 +324,7 @@ spec:
entryPoints:
- web
routes:
- match: Host(`flowercore.io`) || Host(`www.flowercore.io`)
- match: (Host(`flowercore.io`) || Host(`www.flowercore.io`)) && (Method(`GET`) || Method(`HEAD`))
kind: Rule
services:
- name: fc-landing

10
apps/fit/fit.yaml
View File

@@ -201,6 +201,8 @@ spec:
metadata:
labels:
app: fit-web
annotations:
flowercore.io/healthz-auth-policy: "allow-anonymous"
spec:
containers:
- name: nginx
@@ -225,12 +227,18 @@ spec:
httpGet:
path: /healthz
port: 80
httpHeaders:
- name: X-Forwarded-Proto
value: https
initialDelaySeconds: 5
periodSeconds: 10
readinessProbe:
httpGet:
path: /healthz
port: 80
httpHeaders:
- name: X-Forwarded-Proto
value: https
initialDelaySeconds: 3
periodSeconds: 5
volumes:
@@ -265,7 +273,7 @@ spec:
entryPoints:
- websecure
routes:
- match: Host(`flowerinsider.xyz`) || Host(`www.flowerinsider.xyz`)
- match: (Host(`flowerinsider.xyz`) || Host(`www.flowerinsider.xyz`)) && (Method(`GET`) || Method(`HEAD`))
kind: Rule
services:
- name: fit-web

8
apps/flowercore/flowercore.yaml
View File

@@ -257,6 +257,8 @@ spec:
metadata:
labels:
app: flowercore-web
annotations:
flowercore.io/healthz-auth-policy: "allow-anonymous"
spec:
containers:
- name: nginx
@@ -281,12 +283,18 @@ spec:
httpGet:
path: /healthz
port: 80
httpHeaders:
- name: X-Forwarded-Proto
value: https
initialDelaySeconds: 5
periodSeconds: 10
readinessProbe:
httpGet:
path: /healthz
port: 80
httpHeaders:
- name: X-Forwarded-Proto
value: https
initialDelaySeconds: 3
periodSeconds: 5
volumes:

2
apps/gitea-public/gitea-public.yaml
View File

@@ -11,7 +11,7 @@ spec:
entryPoints:
- websecure
routes:
- match: Host(`gitea.flowercore.io`)
- match: Host(`gitea.flowercore.io`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
kind: Rule
services:
- name: gitea-http

2
apps/mail/mail.yaml
View File

@@ -243,7 +243,7 @@ spec:
entryPoints:
- websecure
routes:
- match: Host(`webmail.flowercore.io`)
- match: Host(`webmail.flowercore.io`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
kind: Rule
services:
- name: mail-webmail

4
apps/matrix/matrix.yaml
View File

@@ -479,7 +479,7 @@ spec:
entryPoints:
- websecure
routes:
- match: Host(`element.flowercore.io`)
- match: Host(`element.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
kind: Rule
services:
- name: element-web
@@ -497,7 +497,7 @@ spec:
entryPoints:
- websecure
routes:
- match: Host(`matrix.flowercore.io`)
- match: Host(`matrix.flowercore.io`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
kind: Rule
services:
- name: synapse

9
apps/pki-web/pki-web.yaml
View File

@@ -134,6 +134,8 @@ spec:
metadata:
labels:
app: pki-web
annotations:
flowercore.io/healthz-auth-policy: "allow-anonymous"
spec:
containers:
- name: nginx
@@ -158,12 +160,18 @@ spec:
httpGet:
path: /healthz
port: 80
httpHeaders:
- name: X-Forwarded-Proto
value: https
initialDelaySeconds: 5
periodSeconds: 10
readinessProbe:
httpGet:
path: /healthz
port: 80
httpHeaders:
- name: X-Forwarded-Proto
value: https
initialDelaySeconds: 3
periodSeconds: 5
volumes:
@@ -201,6 +209,7 @@ spec:
dnsNames:
- pki.iamworkin.lan
---
# Internal-only route: if a public twin is ever operator-approved, gate it with Host(`<public-host>`) && (Method(`GET`) || Method(`HEAD`)).
# Traefik IngressRoute
apiVersion: traefik.io/v1alpha1
kind: IngressRoute

10
apps/telephony/telephony.yaml
View File

@@ -207,12 +207,18 @@ spec:
httpGet:
path: /health
port: 5100
httpHeaders:
- name: X-Forwarded-Proto
value: https
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
httpGet:
path: /health
port: 5100
httpHeaders:
- name: X-Forwarded-Proto
value: https
initialDelaySeconds: 10
periodSeconds: 5
volumes:
@@ -256,12 +262,12 @@ spec:
- websecure
routes:
- kind: Rule
match: Host(`telephony.flowercore.io`)
match: Host(`telephony.flowercore.io`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
services:
- name: telephony-web
port: 5100
- kind: Rule
match: Host(`telephony.iamwork.in`)
match: Host(`telephony.iamwork.in`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
services:
- name: telephony-web
port: 5100

9
apps/traefik-dashboard/traefik-dashboard.yaml
View File

@@ -20,10 +20,11 @@ metadata:
spec:
basicAuth:
secret: traefik-dashboard-auth
---
# Dashboard IngressRoute
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
---
# Internal-only route: if a public twin is ever operator-approved, gate it with Host(`<public-host>`) && (Method(`GET`) || Method(`HEAD`)).
# Dashboard IngressRoute
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard
namespace: traefik-system

4
apps/voice/voice.yaml
View File

@@ -66,7 +66,7 @@ spec:
- websecure
routes:
- kind: Rule
match: Host(`voice.bluejay.dev`)
match: Host(`voice.bluejay.dev`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
services:
- name: voice-bridge
port: 8766
@@ -84,7 +84,7 @@ spec:
- websecure
routes:
- kind: Rule
match: Host(`voice-ws.bluejay.dev`)
match: Host(`voice-ws.bluejay.dev`) && (Method(`GET`) || Method(`HEAD`))
services:
- name: voice-bridge
port: 8765

1
apps/zabbix/zabbix.yaml
View File

@@ -344,6 +344,7 @@ spec:
dnsNames:
- zabbix.iamworkin.lan
---
# Internal-only route: if a public twin is ever operator-approved, gate it with Host(`<public-host>`) && (Method(`GET`) || Method(`HEAD`)).
# Traefik IngressRoute
apiVersion: traefik.io/v1alpha1
kind: IngressRoute