[ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability

Phase 1 - Critical Security: - Netbox: move hardcoded DB/superuser passwords to variables - MeshCentral: disable public registration, add Authentik auth - Traefik: disable insecure API dashboard (api.insecure=false) - Traefik: configure forwarded headers with Cloudflare trusted IPs Phase 2 - Security Hardening: - Add security headers middleware (HSTS, X-Frame-Options, nosniff, etc.) - Add Kyverno pod security policies in audit mode (privileged, host namespaces, SYS_ADMIN, trusted registries) - Tighten rate limiting (avg=10, burst=50) - Add Authentik protection to grampsweb Phase 3 - Monitoring & Alerting: - Add critical service alerts (PostgreSQL, MySQL, Redis, Headscale, Authentik, Loki) - Increase Loki retention from 7 to 30 days (720h) - Add predictive PV filling alert (predict_linear) - Re-enable Hackmd and Privatebin down alerts Phase 4 - Reliability: - Add resource requests/limits to Redis, DBaaS, Technitium, Headscale, Vaultwarden, Uptime Kuma - Increase Alloy DaemonSet memory to 512Mi/1Gi Phase 6 - Maintainability: - Extract duplicated tiers locals to terragrunt.hcl generate block (removed from 67 stacks) - Replace hardcoded NFS IP 10.0.10.15 with var.nfs_server (114 instances across 63 files) - Replace hardcoded Redis/PostgreSQL/MySQL/Ollama/mail host references with variables across ~35 stacks - Migrate xray raw ingress resources to ingress_factory modules
2026-02-23 22:05:28 +00:00 · 2026-02-23 22:05:28 +00:00 · 2d919c4d34
commit 2d919c4d34
parent 48083bb1fd
105 changed files with 773 additions and 920 deletions
--- a/stacks/platform/modules/vaultwarden/main.tf
+++ b/stacks/platform/modules/vaultwarden/main.tf
@ -1,6 +1,8 @@
 variable "tls_secret_name" {}
 variable "tier" { type = string }
 variable "smtp_password" {}
+variable "nfs_server" { type = string }
+variable "mail_host" { type = string }

 resource "kubernetes_namespace" "vaultwarden" {
  metadata {
@ -51,6 +53,18 @@ resource "kubernetes_deployment" "vaultwarden" {
        container {
          image = "vaultwarden/server:1.35.2"
          name  = "vaultwarden"
+
+          resources {
+            requests = {
+              cpu    = "50m"
+              memory = "64Mi"
+            }
+            limits = {
+              cpu    = "200m"
+              memory = "256Mi"
+            }
+          }
+
          env {
            name  = "DOMAIN"
            value = "https://vaultwarden.viktorbarzin.me"
@ -61,7 +75,7 @@ resource "kubernetes_deployment" "vaultwarden" {
          # }
          env {
            name  = "SMTP_HOST"
-            value = "mail.viktorbarzin.me"
+            value = var.mail_host
          }
          env {
            name  = "SMTP_FROM"
@ -96,7 +110,7 @@ resource "kubernetes_deployment" "vaultwarden" {
          name = "data"
          nfs {
            path   = "/mnt/main/vaultwarden"
-            server = "10.0.10.15"
+            server = var.nfs_server
          }
        }
      }