studio/sbbb - sbbb - Gitea: Git with a cup of tea

studio/sbbb

Fork 0

Commit Graph

Author	SHA1	Message	Date
Sienna Meridian Satterwhite	ccfe8b877a	feat: La Suite email/messages, buildkitd, monitoring, vault and storage updates - Add Messages (email) service: backend, frontend, MTA in/out, MPA, SOCKS proxy, worker, DKIM config, and theme customization - Add Collabora deployment for document collaboration - Add Drive frontend nginx config and values - Add buildkitd namespace for in-cluster container builds - Add SeaweedFS remote sync and additional S3 buckets - Update vault secrets across namespaces (devtools, lasuite, media, monitoring, ory, storage) with expanded credential management - Update monitoring: rename grafana→metrics OAuth2Client, add Prometheus remote write and additional scrape configs - Update local/production overlays with resource patches - Remove stale login-ui resource patch from production overlay	2026-03-10 19:00:57 +00:00
Sienna Meridian Satterwhite	7ffddcafcd	fix(ory,lasuite): harden session security and fix logout + WebSocket routing - Fix Hydra postLogoutRedirectUris for docs and people to match the actual URI sent by mozilla_django_oidc v5 (/api/v1.0/logout-callback/) instead of the root URL, resolving 599 logout errors. - Fix docs y-provider WebSocket backend port: use Service port 443 (not pod port 4444 which has no DNAT rule) in Pingora config. - Tighten VSO VaultDynamicSecret rotation sync: add allowStaticCreds:true and reduce refreshAfter from 1h to 5m across all static-creds paths (kratos, hydra, gitea, hive, people, docs) so credential rotation is reflected within 5 minutes instead of up to 1 hour. - Set Hydra token TTLs: access_token and id_token to 5m; refresh_token to 720h (30 days). Kratos session carries silent re-auth so the short access token TTL does not require users to log in manually. - Set SESSION_COOKIE_AGE=3600 (1h) in docs and people backends. After 1h, apps silently re-auth via the active Kratos session. Disabled identities (sunbeam user disable) cannot re-auth on next expiry.	2026-03-03 18:07:08 +00:00
Sienna Meridian Satterwhite	8cb705fecc	feat(devtools): migrate Gitea to OpenBao DB static role; sync admin creds via VSO - gitea-db-credentials is now a VaultDynamicSecret reading from database/static-creds/gitea (OpenBao static role, 24h password rotation). Replaces the previous KV-based Secret that used a hardcoded localdev password. - gitea-admin-credentials and gitea-s3-credentials remain VaultStaticSecrets synced from secret/gitea and secret/seaweedfs respectively. - gitea-values.yaml adds gitea.admin.existingSecret so the chart reads the admin username/password from the VSO-managed Secret instead of values.	2026-03-02 18:33:16 +00:00

Author

SHA1

Message

Date

Sienna Meridian Satterwhite

ccfe8b877a

feat: La Suite email/messages, buildkitd, monitoring, vault and storage updates

- Add Messages (email) service: backend, frontend, MTA in/out, MPA, SOCKS
  proxy, worker, DKIM config, and theme customization
- Add Collabora deployment for document collaboration
- Add Drive frontend nginx config and values
- Add buildkitd namespace for in-cluster container builds
- Add SeaweedFS remote sync and additional S3 buckets
- Update vault secrets across namespaces (devtools, lasuite, media,
  monitoring, ory, storage) with expanded credential management
- Update monitoring: rename grafana→metrics OAuth2Client, add Prometheus
  remote write and additional scrape configs
- Update local/production overlays with resource patches
- Remove stale login-ui resource patch from production overlay

2026-03-10 19:00:57 +00:00

Sienna Meridian Satterwhite

7ffddcafcd

fix(ory,lasuite): harden session security and fix logout + WebSocket routing

- Fix Hydra postLogoutRedirectUris for docs and people to match the
  actual URI sent by mozilla_django_oidc v5 (/api/v1.0/logout-callback/)
  instead of the root URL, resolving 599 logout errors.

- Fix docs y-provider WebSocket backend port: use Service port 443
  (not pod port 4444 which has no DNAT rule) in Pingora config.

- Tighten VSO VaultDynamicSecret rotation sync: add allowStaticCreds:true
  and reduce refreshAfter from 1h to 5m across all static-creds paths
  (kratos, hydra, gitea, hive, people, docs) so credential rotation is
  reflected within 5 minutes instead of up to 1 hour.

- Set Hydra token TTLs: access_token and id_token to 5m; refresh_token
  to 720h (30 days). Kratos session carries silent re-auth so the short
  access token TTL does not require users to log in manually.

- Set SESSION_COOKIE_AGE=3600 (1h) in docs and people backends. After
  1h, apps silently re-auth via the active Kratos session. Disabled
  identities (sunbeam user disable) cannot re-auth on next expiry.

2026-03-03 18:07:08 +00:00

Sienna Meridian Satterwhite

8cb705fecc

feat(devtools): migrate Gitea to OpenBao DB static role; sync admin creds via VSO

- gitea-db-credentials is now a VaultDynamicSecret reading from
  database/static-creds/gitea (OpenBao static role, 24h password rotation).
  Replaces the previous KV-based Secret that used a hardcoded localdev password.
- gitea-admin-credentials and gitea-s3-credentials remain VaultStaticSecrets
  synced from secret/gitea and secret/seaweedfs respectively.
- gitea-values.yaml adds gitea.admin.existingSecret so the chart reads the
  admin username/password from the VSO-managed Secret instead of values.

2026-03-02 18:33:16 +00:00

3 Commits