2024-02-25 16:28:40 +00:00
|
|
|
variable "tls_secret_name" {}
|
2026-01-10 16:28:12 +00:00
|
|
|
variable "tier" { type = string }
|
[ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability
Phase 1 - Critical Security:
- Netbox: move hardcoded DB/superuser passwords to variables
- MeshCentral: disable public registration, add Authentik auth
- Traefik: disable insecure API dashboard (api.insecure=false)
- Traefik: configure forwarded headers with Cloudflare trusted IPs
Phase 2 - Security Hardening:
- Add security headers middleware (HSTS, X-Frame-Options, nosniff, etc.)
- Add Kyverno pod security policies in audit mode (privileged, host
namespaces, SYS_ADMIN, trusted registries)
- Tighten rate limiting (avg=10, burst=50)
- Add Authentik protection to grampsweb
Phase 3 - Monitoring & Alerting:
- Add critical service alerts (PostgreSQL, MySQL, Redis, Headscale,
Authentik, Loki)
- Increase Loki retention from 7 to 30 days (720h)
- Add predictive PV filling alert (predict_linear)
- Re-enable Hackmd and Privatebin down alerts
Phase 4 - Reliability:
- Add resource requests/limits to Redis, DBaaS, Technitium, Headscale,
Vaultwarden, Uptime Kuma
- Increase Alloy DaemonSet memory to 512Mi/1Gi
Phase 6 - Maintainability:
- Extract duplicated tiers locals to terragrunt.hcl generate block
(removed from 67 stacks)
- Replace hardcoded NFS IP 10.0.10.15 with var.nfs_server (114
instances across 63 files)
- Replace hardcoded Redis/PostgreSQL/MySQL/Ollama/mail host references
with variables across ~35 stacks
- Migrate xray raw ingress resources to ingress_factory modules
2026-02-23 22:05:28 +00:00
|
|
|
variable "nfs_server" { type = string }
|
2026-03-07 17:42:05 +00:00
|
|
|
variable "homepage_credentials" {
|
|
|
|
|
type = map(any)
|
|
|
|
|
sensitive = true
|
|
|
|
|
}
|
2024-02-25 16:28:40 +00:00
|
|
|
|
|
|
|
|
|
2026-03-02 02:04:22 +00:00
|
|
|
module "nfs_data" {
|
|
|
|
|
source = "../../../modules/kubernetes/nfs_volume"
|
|
|
|
|
name = "servarr-prowlarr-data"
|
|
|
|
|
namespace = "servarr"
|
|
|
|
|
nfs_server = var.nfs_server
|
|
|
|
|
nfs_path = "/mnt/main/servarr/prowlarr"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
module "nfs_downloads" {
|
|
|
|
|
source = "../../../modules/kubernetes/nfs_volume"
|
|
|
|
|
name = "servarr-prowlarr-downloads"
|
|
|
|
|
namespace = "servarr"
|
|
|
|
|
nfs_server = var.nfs_server
|
|
|
|
|
nfs_path = "/mnt/main/servarr/downloads"
|
|
|
|
|
}
|
|
|
|
|
|
2024-02-25 16:28:40 +00:00
|
|
|
resource "kubernetes_deployment" "prowlarr" {
|
|
|
|
|
metadata {
|
|
|
|
|
name = "prowlarr"
|
2025-09-06 21:41:02 +00:00
|
|
|
namespace = "servarr"
|
2024-02-25 16:28:40 +00:00
|
|
|
labels = {
|
2026-01-10 16:28:12 +00:00
|
|
|
app = "prowlarr"
|
|
|
|
|
tier = var.tier
|
2024-02-25 16:28:40 +00:00
|
|
|
}
|
|
|
|
|
annotations = {
|
|
|
|
|
"reloader.stakater.com/search" = "true"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
spec {
|
|
|
|
|
replicas = 1
|
|
|
|
|
selector {
|
|
|
|
|
match_labels = {
|
|
|
|
|
app = "prowlarr"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
template {
|
|
|
|
|
metadata {
|
|
|
|
|
labels = {
|
|
|
|
|
app = "prowlarr"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
spec {
|
|
|
|
|
container {
|
|
|
|
|
image = "lscr.io/linuxserver/prowlarr:latest"
|
|
|
|
|
name = "prowlarr"
|
|
|
|
|
|
resource quota review: fix OOM risks, close quota gaps, add HA protections
Phase 1 - OOM fixes:
- dashy: increase memory limit 512Mi→1Gi (was at 99% utilization)
- caretta DaemonSet: set explicit resources 300Mi/512Mi (was at 85-98%)
- mysql-operator: add Helm resource values 256Mi/512Mi, create namespace
with tier label (was at 92% of LimitRange default)
- prowlarr, flaresolverr, annas-archive-stacks: add explicit resources
(outgrowing 256Mi LimitRange defaults)
- real-estate-crawler celery: add resources 512Mi/3Gi (608Mi actual, no
explicit resources)
Phase 2 - Close quota gaps:
- nvidia, real-estate-crawler, trading-bot: remove custom-quota=true
labels so Kyverno generates tier-appropriate quotas
- descheduler: add tier=1-cluster label for proper classification
Phase 3 - Reduce excessive quotas:
- monitoring: limits.memory 240Gi→64Gi, limits.cpu 120→64
- woodpecker: limits.memory 128Gi→32Gi, limits.cpu 64→16
- GPU tier default: limits.memory 96Gi→32Gi, limits.cpu 48→16
Phase 4 - Kubelet protection:
- Add cpu: 200m to systemReserved and kubeReserved in kubelet template
Phase 5 - HA improvements:
- cloudflared: add topology spread (ScheduleAnyway) + PDB (maxUnavailable:1)
- grafana: add topology spread + PDB via Helm values
- crowdsec LAPI: add topology spread + PDB via Helm values
- authentik server: add topology spread via Helm values
- authentik worker: add topology spread + PDB via Helm values
2026-03-08 18:17:46 +00:00
|
|
|
resources {
|
|
|
|
|
requests = {
|
|
|
|
|
cpu = "10m"
|
|
|
|
|
memory = "192Mi"
|
|
|
|
|
}
|
|
|
|
|
limits = {
|
|
|
|
|
memory = "384Mi"
|
|
|
|
|
}
|
|
|
|
|
}
|
2024-02-25 16:28:40 +00:00
|
|
|
port {
|
|
|
|
|
container_port = 9696
|
|
|
|
|
}
|
|
|
|
|
env {
|
|
|
|
|
name = "PUID"
|
|
|
|
|
value = 1000
|
|
|
|
|
}
|
|
|
|
|
env {
|
|
|
|
|
name = "PGID"
|
|
|
|
|
value = 1000
|
|
|
|
|
}
|
|
|
|
|
env {
|
|
|
|
|
name = "TZ"
|
|
|
|
|
value = "Etc/UTC"
|
|
|
|
|
}
|
|
|
|
|
volume_mount {
|
|
|
|
|
name = "data"
|
|
|
|
|
mount_path = "/config"
|
|
|
|
|
}
|
|
|
|
|
volume_mount {
|
|
|
|
|
name = "data"
|
|
|
|
|
mount_path = "/books"
|
|
|
|
|
}
|
|
|
|
|
volume_mount {
|
2025-09-06 22:05:56 +00:00
|
|
|
name = "downloads"
|
2024-02-25 16:28:40 +00:00
|
|
|
mount_path = "/downloads"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
volume {
|
|
|
|
|
name = "data"
|
2026-03-02 02:04:22 +00:00
|
|
|
persistent_volume_claim {
|
|
|
|
|
claim_name = module.nfs_data.claim_name
|
2024-02-25 16:28:40 +00:00
|
|
|
}
|
|
|
|
|
}
|
2025-09-06 22:05:56 +00:00
|
|
|
volume {
|
|
|
|
|
name = "downloads"
|
2026-03-02 02:04:22 +00:00
|
|
|
persistent_volume_claim {
|
|
|
|
|
claim_name = module.nfs_downloads.claim_name
|
2025-09-06 22:05:56 +00:00
|
|
|
}
|
|
|
|
|
}
|
2024-02-25 16:28:40 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
resource "kubernetes_service" "prowlarr" {
|
|
|
|
|
metadata {
|
|
|
|
|
name = "prowlarr"
|
2025-09-06 21:41:02 +00:00
|
|
|
namespace = "servarr"
|
2024-02-25 16:28:40 +00:00
|
|
|
labels = {
|
|
|
|
|
app = "prowlarr"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
spec {
|
|
|
|
|
selector = {
|
|
|
|
|
app = "prowlarr"
|
|
|
|
|
}
|
|
|
|
|
port {
|
2025-09-06 21:41:02 +00:00
|
|
|
name = "http"
|
|
|
|
|
port = 80
|
|
|
|
|
target_port = 9696
|
2024-02-25 16:28:40 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2025-09-06 21:41:02 +00:00
|
|
|
module "ingress" {
|
2026-02-22 15:13:55 +00:00
|
|
|
source = "../../../modules/kubernetes/ingress_factory"
|
2025-09-06 21:41:02 +00:00
|
|
|
namespace = "servarr"
|
|
|
|
|
name = "prowlarr"
|
|
|
|
|
tls_secret_name = var.tls_secret_name
|
|
|
|
|
protected = true
|
2026-03-07 16:41:36 +00:00
|
|
|
extra_annotations = {
|
|
|
|
|
"gethomepage.dev/enabled" = "true"
|
|
|
|
|
"gethomepage.dev/name" = "Prowlarr"
|
|
|
|
|
"gethomepage.dev/description" = "Indexer manager"
|
|
|
|
|
"gethomepage.dev/icon" = "prowlarr.png"
|
|
|
|
|
"gethomepage.dev/group" = "Media & Entertainment"
|
|
|
|
|
"gethomepage.dev/pod-selector" = ""
|
2026-03-07 17:42:05 +00:00
|
|
|
"gethomepage.dev/widget.type" = "prowlarr"
|
|
|
|
|
"gethomepage.dev/widget.url" = "http://prowlarr.servarr.svc.cluster.local"
|
|
|
|
|
"gethomepage.dev/widget.key" = var.homepage_credentials["prowlarr"]["api_key"]
|
2026-03-07 16:41:36 +00:00
|
|
|
}
|
2024-02-25 16:28:40 +00:00
|
|
|
}
|