security: harden traefik auth flow — fix header spoofing, TLS leak, DERP rate-limit

- Auth-proxy fallback now sets ALL X-authentik-* headers (username, uid, email, name, groups) to prevent client-supplied header spoofing when Authentik is down. Previously only username was set, allowing a malicious client to inject fake X-authentik-groups. - Catch-all IngressRoute restricted to *.viktorbarzin.me only. Non-matching domains no longer get the wildcard cert served (TLS info leak). - Added rate-limit and CrowdSec middleware to catch-all IngressRoute. - Added rate-limit middleware to Headscale DERP IngressRoute. - Rotated auth-proxy basicAuth credentials (bcrypt cost 5 → 12, admin → emergency-admin). - Created Authentik brute-force reputation policy (threshold -5, IP+username).
2026-04-05 20:01:06 +03:00 · 2026-04-05 20:01:06 +03:00 · 0e3c0fb503
commit 0e3c0fb503
parent 3d02036a18
3 changed files with 50 additions and 8 deletions
--- a/stacks/headscale/modules/headscale/main.tf
+++ b/stacks/headscale/modules/headscale/main.tf
@ -324,11 +324,17 @@ resource "kubernetes_manifest" "derp_ingress_route" {
          name = kubernetes_service.headscale.metadata[0].name
          port = 8080
        }]
-        # Only retry middleware — no CrowdSec, rate limit, anti-AI, error pages
-        middlewares = [{
-          name      = "retry"
-          namespace = "traefik"
-        }]
+        # Minimal middleware — retry + rate-limit. No CrowdSec/anti-AI (DERP is a relay protocol)
+        middlewares = [
+          {
+            name      = "retry"
+            namespace = "traefik"
+          },
+          {
+            name      = "rate-limit"
+            namespace = "traefik"
+          },
+        ]
      }]
      tls = {
        secretName = var.tls_secret_name