viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability

Browse source 
Phase 1 - Critical Security:
- Netbox: move hardcoded DB/superuser passwords to variables
- MeshCentral: disable public registration, add Authentik auth
- Traefik: disable insecure API dashboard (api.insecure=false)
- Traefik: configure forwarded headers with Cloudflare trusted IPs

Phase 2 - Security Hardening:
- Add security headers middleware (HSTS, X-Frame-Options, nosniff, etc.)
- Add Kyverno pod security policies in audit mode (privileged, host
  namespaces, SYS_ADMIN, trusted registries)
- Tighten rate limiting (avg=10, burst=50)
- Add Authentik protection to grampsweb

Phase 3 - Monitoring & Alerting:
- Add critical service alerts (PostgreSQL, MySQL, Redis, Headscale,
  Authentik, Loki)
- Increase Loki retention from 7 to 30 days (720h)
- Add predictive PV filling alert (predict_linear)
- Re-enable Hackmd and Privatebin down alerts

Phase 4 - Reliability:
- Add resource requests/limits to Redis, DBaaS, Technitium, Headscale,
  Vaultwarden, Uptime Kuma
- Increase Alloy DaemonSet memory to 512Mi/1Gi

Phase 6 - Maintainability:
- Extract duplicated tiers locals to terragrunt.hcl generate block
  (removed from 67 stacks)
- Replace hardcoded NFS IP 10.0.10.15 with var.nfs_server (114
  instances across 63 files)
- Replace hardcoded Redis/PostgreSQL/MySQL/Ollama/mail host references
  with variables across ~35 stacks
- Migrate xray raw ingress resources to ingress_factory modules
This commit is contained in:
Viktor Barzin 2026-02-23 22:05:28 +00:00
parent 1b4737c90c
commit 89a6e08245
104 changed files with 773 additions and 920 deletions
Download patch file Download diff file Expand all files Collapse all files

35
stacks/platform/modules/dbaas/main.tf
View file

@ -11,6 +11,7 @@ variable "prod" {
default = false
type = bool
}
variable "nfs_server" { type = string }
resource "kubernetes_namespace" "dbaas" {
metadata {
@ -131,6 +132,18 @@ resource "kubernetes_deployment" "mysql" {
container {
image = "mysql:9.2.0"
name = "mysql"
resources {
requests = {
cpu = "250m"
memory = "512Mi"
}
limits = {
cpu = "1"
memory = "2Gi"
}
}
env {
name = "MYSQL_ROOT_PASSWORD"
value = var.dbaas_root_password
@ -153,7 +166,7 @@ resource "kubernetes_deployment" "mysql" {
name = "mysql-persistent-storage"
nfs {
path = "/mnt/main/mysql"
server = "10.0.10.15"
server = var.nfs_server
}
}
@ -219,7 +232,7 @@ resource "kubernetes_cron_job_v1" "mysql-backup" {
name = "mysql-backup"
nfs {
path = "/mnt/main/mysql-backup"
server = "10.0.10.15"
server = var.nfs_server
}
}
}
@ -717,6 +730,18 @@ resource "kubernetes_deployment" "postgres" {
image = "viktorbarzin/postgres:16-master" # mix of postgis + pgvector
# image = "postgres:17.2-bullseye" # needs pg_upgrade to data dir
name = "postgresql"
resources {
requests = {
cpu = "250m"
memory = "512Mi"
}
limits = {
cpu = "1"
memory = "2Gi"
}
}
env {
name = "POSTGRES_PASSWORD"
value = var.postgresql_root_password
@ -744,7 +769,7 @@ resource "kubernetes_deployment" "postgres" {
name = "postgresql-persistent-storage"
nfs {
path = "/mnt/main/postgresql/data"
server = "10.0.10.15"
server = var.nfs_server
}
}
# volume {
@ -830,7 +855,7 @@ resource "kubernetes_deployment" "pgadmin" {
# }
nfs {
path = "/mnt/main/postgresql/pgadmin"
server = "10.0.10.15"
server = var.nfs_server
}
}
}
@ -905,7 +930,7 @@ resource "kubernetes_cron_job_v1" "postgresql-backup" {
name = "postgresql-backup"
nfs {
path = "/mnt/main/postgresql-backup"
server = "10.0.10.15"
server = var.nfs_server
}
}
}