[ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability

Phase 1 - Critical Security:
- Netbox: move hardcoded DB/superuser passwords to variables
- MeshCentral: disable public registration, add Authentik auth
- Traefik: disable insecure API dashboard (api.insecure=false)
- Traefik: configure forwarded headers with Cloudflare trusted IPs

Phase 2 - Security Hardening:
- Add security headers middleware (HSTS, X-Frame-Options, nosniff, etc.)
- Add Kyverno pod security policies in audit mode (privileged, host
  namespaces, SYS_ADMIN, trusted registries)
- Tighten rate limiting (avg=10, burst=50)
- Add Authentik protection to grampsweb

Phase 3 - Monitoring & Alerting:
- Add critical service alerts (PostgreSQL, MySQL, Redis, Headscale,
  Authentik, Loki)
- Increase Loki retention from 7 to 30 days (720h)
- Add predictive PV filling alert (predict_linear)
- Re-enable Hackmd and Privatebin down alerts

Phase 4 - Reliability:
- Add resource requests/limits to Redis, DBaaS, Technitium, Headscale,
  Vaultwarden, Uptime Kuma
- Increase Alloy DaemonSet memory to 512Mi/1Gi

Phase 6 - Maintainability:
- Extract duplicated tiers locals to terragrunt.hcl generate block
  (removed from 67 stacks)
- Replace hardcoded NFS IP 10.0.10.15 with var.nfs_server (114
  instances across 63 files)
- Replace hardcoded Redis/PostgreSQL/MySQL/Ollama/mail host references
  with variables across ~35 stacks
- Migrate xray raw ingress resources to ingress_factory modules

stacks/nextcloud/chart_values.yaml

@@ -28,13 +28,13 @@ nextcloud:
 
 externalRedis:
   enabled: true
-  host: redis.redis.svc.cluster.local
+  host: ${redis_host}
 
 # Currently not in use; we use the nextcloud.db sqlite3
 externalDatabase:
   enabled: false
   type: mysql
-  host: mysql.dbaas.svc.cluster.local
+  host: ${mysql_host}
   user: nextcloud
   password: ${db_password}
   databse: nextcloud

stacks/nextcloud/main.tf

@@ -1,15 +1,9 @@
 variable "tls_secret_name" { type = string }
 variable "nextcloud_db_password" { type = string }
+variable "nfs_server" { type = string }
+variable "redis_host" { type = string }
+variable "mysql_host" { type = string }
 
-locals {
-  tiers = {
-    core    = "0-core"
-    cluster = "1-cluster"
-    gpu     = "2-gpu"
-    edge    = "3-edge"
-    aux     = "4-aux"
-  }
-}
 
 module "tls_secret" {
   source          = "../../modules/kubernetes/setup_tls_secret"
@@ -36,7 +30,7 @@ resource "helm_release" "nextcloud" {
   atomic     = true
   version    = "8.8.1"
 
-  values  = [templatefile("${path.module}/chart_values.yaml", { tls_secret_name = var.tls_secret_name, db_password = var.nextcloud_db_password })]
+  values  = [templatefile("${path.module}/chart_values.yaml", { tls_secret_name = var.tls_secret_name, db_password = var.nextcloud_db_password, redis_host = var.redis_host, mysql_host = var.mysql_host })]
   timeout = 6000
 }
 
@@ -136,7 +130,7 @@ resource "kubernetes_persistent_volume" "nextcloud-data-pv" {
     persistent_volume_source {
       nfs {
         path   = "/mnt/main/nextcloud"
-        server = "10.0.10.15"
+        server = var.nfs_server
       }
     }
   }
@@ -298,7 +292,7 @@ resource "kubernetes_cron_job_v1" "nextcloud-backup" {
             volume {
               name = "nextcloud-data"
               nfs {
-                server = "10.0.10.15"
+                server = var.nfs_server
                 path   = "/mnt/main/nextcloud"
               }
             }
@@ -306,7 +300,7 @@ resource "kubernetes_cron_job_v1" "nextcloud-backup" {
             volume {
               name = "backup"
               nfs {
-                server = "10.0.10.15"
+                server = var.nfs_server
                 path   = "/mnt/main/nextcloud-backup"
               }
             }