I was lucky to have been born in the early 90s. I was also lucky that my parents had some disposable income. Even luckier that things like the Raspberry Pi Foundation existed while I was alive and young.

I shouldn’t take these things for granted. I lived through the rise of the personal computer, the introduction of internet to the masses, and then high speed internet, then high speed mobile internet, and the smartphone as well. I’d say that I’m way beyond basic computer literacy, but that’s because I lived through those times, and following my curiosity led me on this path. But those times are now gone, and not everyone has the same proclivities for nerd stuff as I do.

The amount of posts and videos that I’ve seen in the past ~12 months which are announcing the end of Free Open Source Software is off the charts. From AI tools being set loose on several project’s issue and pull requests boards, to a veritable flood of security vulnerabilities being discovered by automated tools, not forgetting the burn out that many developers are feeling in these agentic times, and the fall of GitHub; it would seem that FOSS is undergoing a crisis.

For a while now, I’ve self-hosted a runner to integrate with Gitea Action. But there was something about it that was leaving me worried: in an age where software supply chain security is becoming more and more important, I felt like I needed to improve the security of the setup. The answer I arrived at, while not perfect (yet), it’s a great improvement over what I had before. This post will be a walk through of what I had, what and why I chose to replace it, how I did it, and where I could still improve it.

tl;dr:

• 3459 lines of code added (+3378 net)
• 48 test functions across 9 new test files
• 30 commits: 25 for new features and tests, 2 fixes, and 3 chores
• Complete build pipeline rewrite: Docker replaced with ko (daemonless); no more external actions
• Dex integration with JWT validation middleware + rate limiting
• Full REST API: 8 endpoints for tenants + member CRUD
• CLI tool: login via Dex password grant, 9 subcommands for management

Part 3 ended with a promise: “authentication, an API gateway with rate limiting built-in, and if I’m feeling generous both a CLI tool and a Web UI”. On the surface, I failed because I’m not delivering on the full promise, as there’s no Web UI (yet!). But there’s so much more that was added besides what was promised. We have a lot of tests! We have an even better CI/CD pipeline! We eliminated external dependencies! We have Helm charts! And, of course, we have all the other promises that were made before. I feel like this is a good trade-off: less show-off, but better foundations.

Sometimes, laziness can be a great motivator.

In effect, what I wanted was a zero-trust setup for remote authentication. On one hand, because it’s way more secure; but the real motivator was that I got tired of typing or copy/pasting passwords.

For a while now, I’ve been using both a Nitrokey and a Yubikey for authentication and signing on my local machine. This has many interesting features, e.g.: combined with my password manager workflow it means I can securely get a password without much work, as the touch of a button is enough. And not only is this more convenient, but it’s also more secure. Not only do they add a physical layer to workflow, which makes the workflow depend on the physical presence of a device; they also obviate the need for the usage of other apps or devices, which decreases the attack surface from other sources. Not only are they easier to use and manage, but they also increase security? This is exactly my kind of jam!