2026-02-07 13:25:49 +00:00
|
|
|
# Shared Traefik Middleware CRDs
|
|
|
|
|
# These are referenced by ingress resources via annotations like:
|
|
|
|
|
# "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-rate-limit@kubernetescrd"
|
|
|
|
|
|
|
|
|
|
# Rate limiting middleware
|
|
|
|
|
resource "kubernetes_manifest" "middleware_rate_limit" {
|
|
|
|
|
manifest = {
|
|
|
|
|
apiVersion = "traefik.io/v1alpha1"
|
|
|
|
|
kind = "Middleware"
|
|
|
|
|
metadata = {
|
|
|
|
|
name = "rate-limit"
|
|
|
|
|
namespace = kubernetes_namespace.traefik.metadata[0].name
|
|
|
|
|
}
|
|
|
|
|
spec = {
|
|
|
|
|
rateLimit = {
|
[ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability
Phase 1 - Critical Security:
- Netbox: move hardcoded DB/superuser passwords to variables
- MeshCentral: disable public registration, add Authentik auth
- Traefik: disable insecure API dashboard (api.insecure=false)
- Traefik: configure forwarded headers with Cloudflare trusted IPs
Phase 2 - Security Hardening:
- Add security headers middleware (HSTS, X-Frame-Options, nosniff, etc.)
- Add Kyverno pod security policies in audit mode (privileged, host
namespaces, SYS_ADMIN, trusted registries)
- Tighten rate limiting (avg=10, burst=50)
- Add Authentik protection to grampsweb
Phase 3 - Monitoring & Alerting:
- Add critical service alerts (PostgreSQL, MySQL, Redis, Headscale,
Authentik, Loki)
- Increase Loki retention from 7 to 30 days (720h)
- Add predictive PV filling alert (predict_linear)
- Re-enable Hackmd and Privatebin down alerts
Phase 4 - Reliability:
- Add resource requests/limits to Redis, DBaaS, Technitium, Headscale,
Vaultwarden, Uptime Kuma
- Increase Alloy DaemonSet memory to 512Mi/1Gi
Phase 6 - Maintainability:
- Extract duplicated tiers locals to terragrunt.hcl generate block
(removed from 67 stacks)
- Replace hardcoded NFS IP 10.0.10.15 with var.nfs_server (114
instances across 63 files)
- Replace hardcoded Redis/PostgreSQL/MySQL/Ollama/mail host references
with variables across ~35 stacks
- Migrate xray raw ingress resources to ingress_factory modules
2026-02-23 22:05:28 +00:00
|
|
|
average = 10
|
|
|
|
|
burst = 50
|
2026-02-07 13:25:49 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
depends_on = [helm_release.traefik]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Authentik forward auth middleware
|
|
|
|
|
resource "kubernetes_manifest" "middleware_authentik_forward_auth" {
|
|
|
|
|
manifest = {
|
|
|
|
|
apiVersion = "traefik.io/v1alpha1"
|
|
|
|
|
kind = "Middleware"
|
|
|
|
|
metadata = {
|
|
|
|
|
name = "authentik-forward-auth"
|
|
|
|
|
namespace = kubernetes_namespace.traefik.metadata[0].name
|
|
|
|
|
}
|
|
|
|
|
spec = {
|
|
|
|
|
forwardAuth = {
|
2026-03-01 14:13:05 +00:00
|
|
|
address = "http://auth-proxy.traefik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik"
|
2026-02-07 13:25:49 +00:00
|
|
|
trustForwardHeader = true
|
|
|
|
|
authResponseHeaders = [
|
|
|
|
|
"X-authentik-username",
|
|
|
|
|
"X-authentik-uid",
|
|
|
|
|
"X-authentik-email",
|
|
|
|
|
"X-authentik-name",
|
|
|
|
|
"X-authentik-groups",
|
|
|
|
|
"Set-Cookie",
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
depends_on = [helm_release.traefik]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# IP allowlist for local-only access
|
|
|
|
|
resource "kubernetes_manifest" "middleware_local_only" {
|
|
|
|
|
manifest = {
|
|
|
|
|
apiVersion = "traefik.io/v1alpha1"
|
|
|
|
|
kind = "Middleware"
|
|
|
|
|
metadata = {
|
|
|
|
|
name = "local-only"
|
|
|
|
|
namespace = kubernetes_namespace.traefik.metadata[0].name
|
|
|
|
|
}
|
|
|
|
|
spec = {
|
|
|
|
|
ipAllowList = {
|
|
|
|
|
sourceRange = [
|
|
|
|
|
"192.168.1.0/24",
|
|
|
|
|
"10.0.0.0/8",
|
|
|
|
|
"fc00::/7",
|
|
|
|
|
"fe80::/10",
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
depends_on = [helm_release.traefik]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# HTTPS redirect middleware
|
|
|
|
|
resource "kubernetes_manifest" "middleware_redirect_https" {
|
|
|
|
|
manifest = {
|
|
|
|
|
apiVersion = "traefik.io/v1alpha1"
|
|
|
|
|
kind = "Middleware"
|
|
|
|
|
metadata = {
|
|
|
|
|
name = "redirect-https"
|
|
|
|
|
namespace = kubernetes_namespace.traefik.metadata[0].name
|
|
|
|
|
}
|
|
|
|
|
spec = {
|
|
|
|
|
redirectScheme = {
|
|
|
|
|
scheme = "https"
|
|
|
|
|
permanent = true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
depends_on = [helm_release.traefik]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# CSP headers middleware (default)
|
|
|
|
|
resource "kubernetes_manifest" "middleware_csp_headers" {
|
|
|
|
|
manifest = {
|
|
|
|
|
apiVersion = "traefik.io/v1alpha1"
|
|
|
|
|
kind = "Middleware"
|
|
|
|
|
metadata = {
|
|
|
|
|
name = "csp-headers"
|
|
|
|
|
namespace = kubernetes_namespace.traefik.metadata[0].name
|
|
|
|
|
}
|
|
|
|
|
spec = {
|
|
|
|
|
headers = {
|
|
|
|
|
contentSecurityPolicy = "frame-ancestors 'self' *.viktorbarzin.me viktorbarzin.me"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
depends_on = [helm_release.traefik]
|
|
|
|
|
}
|
|
|
|
|
|
[ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability
Phase 1 - Critical Security:
- Netbox: move hardcoded DB/superuser passwords to variables
- MeshCentral: disable public registration, add Authentik auth
- Traefik: disable insecure API dashboard (api.insecure=false)
- Traefik: configure forwarded headers with Cloudflare trusted IPs
Phase 2 - Security Hardening:
- Add security headers middleware (HSTS, X-Frame-Options, nosniff, etc.)
- Add Kyverno pod security policies in audit mode (privileged, host
namespaces, SYS_ADMIN, trusted registries)
- Tighten rate limiting (avg=10, burst=50)
- Add Authentik protection to grampsweb
Phase 3 - Monitoring & Alerting:
- Add critical service alerts (PostgreSQL, MySQL, Redis, Headscale,
Authentik, Loki)
- Increase Loki retention from 7 to 30 days (720h)
- Add predictive PV filling alert (predict_linear)
- Re-enable Hackmd and Privatebin down alerts
Phase 4 - Reliability:
- Add resource requests/limits to Redis, DBaaS, Technitium, Headscale,
Vaultwarden, Uptime Kuma
- Increase Alloy DaemonSet memory to 512Mi/1Gi
Phase 6 - Maintainability:
- Extract duplicated tiers locals to terragrunt.hcl generate block
(removed from 67 stacks)
- Replace hardcoded NFS IP 10.0.10.15 with var.nfs_server (114
instances across 63 files)
- Replace hardcoded Redis/PostgreSQL/MySQL/Ollama/mail host references
with variables across ~35 stacks
- Migrate xray raw ingress resources to ingress_factory modules
2026-02-23 22:05:28 +00:00
|
|
|
# Security headers middleware (HSTS, X-Frame-Options, etc.)
|
|
|
|
|
resource "kubernetes_manifest" "middleware_security_headers" {
|
|
|
|
|
manifest = {
|
|
|
|
|
apiVersion = "traefik.io/v1alpha1"
|
|
|
|
|
kind = "Middleware"
|
|
|
|
|
metadata = {
|
|
|
|
|
name = "security-headers"
|
|
|
|
|
namespace = kubernetes_namespace.traefik.metadata[0].name
|
|
|
|
|
}
|
|
|
|
|
spec = {
|
|
|
|
|
headers = {
|
|
|
|
|
stsSeconds = 31536000
|
|
|
|
|
stsIncludeSubdomains = true
|
|
|
|
|
frameDeny = true
|
|
|
|
|
contentTypeNosniff = true
|
|
|
|
|
browserXssFilter = true
|
|
|
|
|
referrerPolicy = "strict-origin-when-cross-origin"
|
|
|
|
|
permissionsPolicy = "camera=(), microphone=(), geolocation=()"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
depends_on = [helm_release.traefik]
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-07 13:25:49 +00:00
|
|
|
# CrowdSec bouncer plugin middleware
|
|
|
|
|
resource "kubernetes_manifest" "middleware_crowdsec" {
|
|
|
|
|
manifest = {
|
|
|
|
|
apiVersion = "traefik.io/v1alpha1"
|
|
|
|
|
kind = "Middleware"
|
|
|
|
|
metadata = {
|
|
|
|
|
name = "crowdsec"
|
|
|
|
|
namespace = kubernetes_namespace.traefik.metadata[0].name
|
|
|
|
|
}
|
|
|
|
|
spec = {
|
|
|
|
|
plugin = {
|
|
|
|
|
crowdsec-bouncer = {
|
[ci skip] right-size all pod resources based on VPA + live metrics audit
Full cluster resource audit: cross-referenced Goldilocks VPA recommendations,
live kubectl top metrics, and Terraform definitions for 100+ containers.
Critical fixes:
- dashy: CPU throttled at 98% (490m/500m) → 2 CPU limit
- stirling-pdf: CPU throttled at 99.7% (299m/300m) → 2 CPU limit
- traefik auth-proxy/bot-block-proxy: mem limit 32Mi → 128Mi
Added explicit resources to ~40 containers that had none:
- audiobookshelf, changedetection, cyberchef, dawarich, diun, echo,
excalidraw, freshrss, hackmd, isponsorblocktv, linkwarden, n8n,
navidrome, ntfy, owntracks, privatebin, send, shadowsocks, tandoor,
tor-proxy, wealthfolio, networking-toolbox, rybbit, mailserver,
cloudflared, pgadmin, phpmyadmin, crowdsec-web, xray, wireguard,
k8s-portal, tuya-bridge, ollama-ui, whisper, piper, immich-server,
immich-postgresql, osrm-foot
GPU containers: added CPU/mem alongside GPU limits:
- ollama: removed CPU/mem limits (models vary in size), keep GPU only
- frigate: req 500m/2Gi, lim 4/8Gi + GPU
- immich-ml: req 100m/1Gi, lim 2/4Gi + GPU
Right-sized ~25 over-provisioned containers:
- kms-web-page: 500m/512Mi → 50m/64Mi (was using 0m/10Mi)
- onlyoffice: CPU 8 → 2 (VPA upper 45m)
- realestate-crawler-api: CPU 2000m → 250m
- blog/travel-blog/webhook-handler: 500m → 100m
- coturn/health/plotting-book: reduced to match actual usage
Conservative methodology: limits = max(VPA upper * 2, live usage * 2)
2026-03-01 19:18:50 +00:00
|
|
|
crowdsecLapiKey = var.crowdsec_api_key
|
|
|
|
|
crowdsecLapiHost = "crowdsec-service.crowdsec.svc.cluster.local:8080"
|
|
|
|
|
crowdsecMode = "stream"
|
|
|
|
|
updateMaxFailure = -1 # fail-open: serve from cache when LAPI is unreachable
|
|
|
|
|
redisCacheEnabled = true
|
|
|
|
|
redisCacheHost = var.redis_host
|
|
|
|
|
redisCacheUnreachableBlock = false # don't block traffic if Redis is also unreachable
|
|
|
|
|
clientTrustedIPs = ["10.0.20.0/24", "10.10.0.0/16"] # node + pod CIDRs bypass CrowdSec
|
2026-02-07 13:25:49 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
depends_on = [helm_release.traefik]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# TLS option for mTLS (client certificate auth)
|
|
|
|
|
resource "kubernetes_manifest" "tls_option_mtls" {
|
|
|
|
|
manifest = {
|
|
|
|
|
apiVersion = "traefik.io/v1alpha1"
|
|
|
|
|
kind = "TLSOption"
|
|
|
|
|
metadata = {
|
|
|
|
|
name = "mtls"
|
|
|
|
|
namespace = kubernetes_namespace.traefik.metadata[0].name
|
|
|
|
|
}
|
|
|
|
|
spec = {
|
|
|
|
|
clientAuth = {
|
|
|
|
|
secretNames = ["ca-secret"]
|
|
|
|
|
clientAuthType = "RequireAndVerifyClientCert"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
depends_on = [helm_release.traefik]
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-07 13:56:24 +00:00
|
|
|
# ServersTransport for backends with self-signed certificates
|
|
|
|
|
resource "kubernetes_manifest" "servers_transport_insecure" {
|
|
|
|
|
manifest = {
|
|
|
|
|
apiVersion = "traefik.io/v1alpha1"
|
|
|
|
|
kind = "ServersTransport"
|
|
|
|
|
metadata = {
|
|
|
|
|
name = "insecure-skip-verify"
|
|
|
|
|
namespace = kubernetes_namespace.traefik.metadata[0].name
|
|
|
|
|
}
|
|
|
|
|
spec = {
|
|
|
|
|
insecureSkipVerify = true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
depends_on = [helm_release.traefik]
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-07 20:28:44 +00:00
|
|
|
# Strip Authentik auth headers/cookies before forwarding to backend
|
|
|
|
|
# Useful for backends (iDRAC, TP-Link) that break when receiving extra headers
|
|
|
|
|
resource "kubernetes_manifest" "middleware_strip_auth_headers" {
|
|
|
|
|
manifest = {
|
|
|
|
|
apiVersion = "traefik.io/v1alpha1"
|
|
|
|
|
kind = "Middleware"
|
|
|
|
|
metadata = {
|
|
|
|
|
name = "strip-auth-headers"
|
|
|
|
|
namespace = kubernetes_namespace.traefik.metadata[0].name
|
|
|
|
|
}
|
|
|
|
|
spec = {
|
|
|
|
|
headers = {
|
|
|
|
|
customRequestHeaders = {
|
|
|
|
|
"X-authentik-username" = ""
|
|
|
|
|
"X-authentik-uid" = ""
|
|
|
|
|
"X-authentik-email" = ""
|
|
|
|
|
"X-authentik-name" = ""
|
|
|
|
|
"X-authentik-groups" = ""
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
depends_on = [helm_release.traefik]
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-07 13:25:49 +00:00
|
|
|
# Immich-specific rate limit (higher limits for photo uploads)
|
|
|
|
|
resource "kubernetes_manifest" "middleware_immich_rate_limit" {
|
|
|
|
|
manifest = {
|
|
|
|
|
apiVersion = "traefik.io/v1alpha1"
|
|
|
|
|
kind = "Middleware"
|
|
|
|
|
metadata = {
|
|
|
|
|
name = "immich-rate-limit"
|
|
|
|
|
namespace = kubernetes_namespace.traefik.metadata[0].name
|
|
|
|
|
}
|
|
|
|
|
spec = {
|
|
|
|
|
rateLimit = {
|
|
|
|
|
average = 100
|
|
|
|
|
burst = 1000
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
depends_on = [helm_release.traefik]
|
|
|
|
|
}
|
2026-02-11 21:40:11 +00:00
|
|
|
|
|
|
|
|
# Strip Accept-Encoding header so backends send uncompressed responses.
|
|
|
|
|
# Used alongside rewrite-body plugin (rybbit analytics) which fails to
|
|
|
|
|
# decompress certain gzip responses (flate: corrupt input before offset 5).
|
2026-02-22 19:49:32 +00:00
|
|
|
# Also used by anti-AI trap links rewrite-body middleware.
|
2026-02-11 21:40:11 +00:00
|
|
|
resource "kubernetes_manifest" "middleware_strip_accept_encoding" {
|
|
|
|
|
manifest = {
|
|
|
|
|
apiVersion = "traefik.io/v1alpha1"
|
|
|
|
|
kind = "Middleware"
|
|
|
|
|
metadata = {
|
|
|
|
|
name = "strip-accept-encoding"
|
|
|
|
|
namespace = kubernetes_namespace.traefik.metadata[0].name
|
|
|
|
|
}
|
|
|
|
|
spec = {
|
|
|
|
|
headers = {
|
|
|
|
|
customRequestHeaders = {
|
|
|
|
|
"Accept-Encoding" = ""
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
depends_on = [helm_release.traefik]
|
|
|
|
|
}
|
2026-02-22 19:49:32 +00:00
|
|
|
|
|
|
|
|
# ForwardAuth middleware to block known AI bot User-Agents
|
|
|
|
|
resource "kubernetes_manifest" "middleware_ai_bot_block" {
|
|
|
|
|
manifest = {
|
|
|
|
|
apiVersion = "traefik.io/v1alpha1"
|
|
|
|
|
kind = "Middleware"
|
|
|
|
|
metadata = {
|
|
|
|
|
name = "ai-bot-block"
|
|
|
|
|
namespace = kubernetes_namespace.traefik.metadata[0].name
|
|
|
|
|
}
|
|
|
|
|
spec = {
|
|
|
|
|
forwardAuth = {
|
2026-03-01 14:05:41 +00:00
|
|
|
address = "http://bot-block-proxy.traefik.svc.cluster.local:8080/auth"
|
2026-02-22 19:49:32 +00:00
|
|
|
trustForwardHeader = true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
depends_on = [helm_release.traefik]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# X-Robots-Tag header to discourage compliant AI crawlers
|
|
|
|
|
resource "kubernetes_manifest" "middleware_anti_ai_headers" {
|
|
|
|
|
manifest = {
|
|
|
|
|
apiVersion = "traefik.io/v1alpha1"
|
|
|
|
|
kind = "Middleware"
|
|
|
|
|
metadata = {
|
|
|
|
|
name = "anti-ai-headers"
|
|
|
|
|
namespace = kubernetes_namespace.traefik.metadata[0].name
|
|
|
|
|
}
|
|
|
|
|
spec = {
|
|
|
|
|
headers = {
|
|
|
|
|
customResponseHeaders = {
|
|
|
|
|
"X-Robots-Tag" = "noai, noimageai"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
depends_on = [helm_release.traefik]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Inject hidden trap links before </body> to catch AI scrapers
|
|
|
|
|
# Links are CSS-hidden and aria-hidden so humans never see them
|
|
|
|
|
resource "kubernetes_manifest" "middleware_anti_ai_trap_links" {
|
|
|
|
|
manifest = {
|
|
|
|
|
apiVersion = "traefik.io/v1alpha1"
|
|
|
|
|
kind = "Middleware"
|
|
|
|
|
metadata = {
|
|
|
|
|
name = "anti-ai-trap-links"
|
|
|
|
|
namespace = kubernetes_namespace.traefik.metadata[0].name
|
|
|
|
|
}
|
|
|
|
|
spec = {
|
|
|
|
|
plugin = {
|
|
|
|
|
rewrite-body = {
|
|
|
|
|
rewrites = [{
|
|
|
|
|
regex = "</body>"
|
|
|
|
|
replacement = "<div style=\"position:absolute;left:-9999px;height:0;overflow:hidden\" aria-hidden=\"true\"><a href=\"https://poison.viktorbarzin.me/article/training-data-2024-research-corpus\">Research Archive</a><a href=\"https://poison.viktorbarzin.me/article/dataset-export-machine-learning-v3\">Dataset Export</a><a href=\"https://poison.viktorbarzin.me/article/nlp-benchmark-evaluation-results\">Benchmark Results</a><a href=\"https://poison.viktorbarzin.me/article/web-crawl-index-2024-archive\">Web Index</a><a href=\"https://poison.viktorbarzin.me/article/text-corpus-english-dump\">Text Corpus</a></div></body>"
|
|
|
|
|
}]
|
|
|
|
|
monitoring = {
|
|
|
|
|
types = ["text/html"]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
depends_on = [helm_release.traefik]
|
|
|
|
|
}
|
2026-03-01 14:35:53 +00:00
|
|
|
|
|
|
|
|
# Retry middleware for transient backend failures (502/503 during restarts)
|
|
|
|
|
resource "kubernetes_manifest" "middleware_retry" {
|
|
|
|
|
manifest = {
|
|
|
|
|
apiVersion = "traefik.io/v1alpha1"
|
|
|
|
|
kind = "Middleware"
|
|
|
|
|
metadata = {
|
|
|
|
|
name = "retry"
|
|
|
|
|
namespace = kubernetes_namespace.traefik.metadata[0].name
|
|
|
|
|
}
|
|
|
|
|
spec = {
|
|
|
|
|
retry = {
|
|
|
|
|
attempts = 2
|
|
|
|
|
initialInterval = "100ms"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
depends_on = [helm_release.traefik]
|
|
|
|
|
}
|