From cbb0093f2c6a31a0f2ce3ad1e12f2137f2f18c14 Mon Sep 17 00:00:00 2001
From: Baptiste Jonglez <git@bitsofnetworks.org>
Date: Sat, 8 Jun 2024 16:35:35 +0200
Subject: [PATCH] staging: garage: Handle *.garage.staging for vhost-style S3
 and add on-demand TLS checks

---
 cluster/staging/app/garage/config/garage.toml | 1 +
 cluster/staging/app/garage/deploy/garage.hcl  | 8 ++++++++
 2 files changed, 9 insertions(+)

diff --git a/cluster/staging/app/garage/config/garage.toml b/cluster/staging/app/garage/config/garage.toml
index 6c92bf3..01eb237 100644
--- a/cluster/staging/app/garage/config/garage.toml
+++ b/cluster/staging/app/garage/config/garage.toml
@@ -25,6 +25,7 @@ tls_skip_verify = true
 [s3_api]
 s3_region = "garage-staging"
 api_bind_addr = "0.0.0.0:3990"
+root_domain = ".garage.staging.deuxfleurs.org"
 
 [k2v_api]
 api_bind_addr = "0.0.0.0:3993"
diff --git a/cluster/staging/app/garage/deploy/garage.hcl b/cluster/staging/app/garage/deploy/garage.hcl
index 67655e4..7a7b44b 100644
--- a/cluster/staging/app/garage/deploy/garage.hcl
+++ b/cluster/staging/app/garage/deploy/garage.hcl
@@ -84,7 +84,9 @@ job "garage-staging" {
         tags = [
           "garage-staging-api",
           "tricot garage.staging.deuxfleurs.org",
+          "tricot *.garage.staging.deuxfleurs.org",
           "tricot-add-header Access-Control-Allow-Origin *",
+          "tricot-on-demand-tls-ask http://garage-staging-admin.service.staging.consul:3909/check",
           "tricot-site-lb",
         ]
         port = "s3"
@@ -119,10 +121,16 @@ job "garage-staging" {
         name = "garage-staging-web"
         tags = [
             "garage-staging-web",
+            "tricot * 1",
             "tricot *.web.staging.deuxfleurs.org",
             "tricot staging.deuxfleurs.org",
             "tricot matrix.home.adnab.me/.well-known/matrix/server",
+            "tricot-add-header Strict-Transport-Security max-age=63072000; includeSubDomains; preload",
+            "tricot-add-header X-Frame-Options SAMEORIGIN",
+            "tricot-add-header X-XSS-Protection 1; mode=block",
+            "tricot-add-header X-Content-Type-Options nosniff",
             "tricot-add-header Access-Control-Allow-Origin *",
+            "tricot-on-demand-tls-ask http://garage-staging-admin.service.staging.consul:3909/check",
             "tricot-site-lb",
         ]
         port = "web"