[ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability

Phase 1 - Critical Security: - Netbox: move hardcoded DB/superuser passwords to variables - MeshCentral: disable public registration, add Authentik auth - Traefik: disable insecure API dashboard (api.insecure=false) - Traefik: configure forwarded headers with Cloudflare trusted IPs Phase 2 - Security Hardening: - Add security headers middleware (HSTS, X-Frame-Options, nosniff, etc.) - Add Kyverno pod security policies in audit mode (privileged, host namespaces, SYS_ADMIN, trusted registries) - Tighten rate limiting (avg=10, burst=50) - Add Authentik protection to grampsweb Phase 3 - Monitoring & Alerting: - Add critical service alerts (PostgreSQL, MySQL, Redis, Headscale, Authentik, Loki) - Increase Loki retention from 7 to 30 days (720h) - Add predictive PV filling alert (predict_linear) - Re-enable Hackmd and Privatebin down alerts Phase 4 - Reliability: - Add resource requests/limits to Redis, DBaaS, Technitium, Headscale, Vaultwarden, Uptime Kuma - Increase Alloy DaemonSet memory to 512Mi/1Gi Phase 6 - Maintainability: - Extract duplicated tiers locals to terragrunt.hcl generate block (removed from 67 stacks) - Replace hardcoded NFS IP 10.0.10.15 with var.nfs_server (114 instances across 63 files) - Replace hardcoded Redis/PostgreSQL/MySQL/Ollama/mail host references with variables across ~35 stacks - Migrate xray raw ingress resources to ingress_factory modules
2026-02-23 22:05:28 +00:00 · 2026-02-23 22:05:28 +00:00 · 89a6e08245
commit 89a6e08245
parent 1b4737c90c
104 changed files with 773 additions and 920 deletions
--- a/stacks/platform/modules/mailserver/main.tf
+++ b/stacks/platform/modules/mailserver/main.tf
@ -4,6 +4,7 @@ variable "mailserver_accounts" {}
 variable "postfix_account_aliases" {}
 variable "opendkim_key" {}
 variable "sasl_passwd" {} # For sendgrid i.e relayhost
+variable "nfs_server" { type = string }

 resource "kubernetes_namespace" "mailserver" {
  metadata {
@ -106,7 +107,7 @@ resource "kubernetes_config_map" "mailserver_config" {
        }
    }
    EOF
-    fail2ban_conf = <<-EOF
+    fail2ban_conf       = <<-EOF
    [DEFAULT]

    #logtarget = /var/log/fail2ban.log
@ -393,7 +394,7 @@ resource "kubernetes_deployment" "mailserver" {
          name = "data"
          nfs {
            path   = "/mnt/main/mailserver"
-            server = "10.0.10.15"
+            server = var.nfs_server
          }
          # iscsi {
          #   target_portal = "iscsi.viktorbarzin.lan:3260"
--- a/stacks/platform/modules/mailserver/roundcubemail.tf
+++ b/stacks/platform/modules/mailserver/roundcubemail.tf
@ -1,4 +1,5 @@
 variable "roundcube_db_password" { type = string }
+variable "mysql_host" { type = string }

 # If you want to override settings mount this in /var/roundcube/config
 # more info in https://github.com/roundcube/roundcubemail-docker?tab=readme-ov-file
@ -89,7 +90,7 @@ resource "kubernetes_deployment" "roundcubemail" {
          }
          env {
            name  = "ROUNDCUBEMAIL_DB_HOST"
-            value = "mysql.dbaas"
+            value = var.mysql_host
          }
          env {
            name  = "ROUNDCUBEMAIL_DB_USER"
@ -148,14 +149,14 @@ resource "kubernetes_deployment" "roundcubemail" {
          name = "html"
          nfs {
            path   = "/mnt/main/roundcubemail/html"
-            server = "10.0.10.15"
+            server = var.nfs_server
          }
        }
        volume {
          name = "enigma"
          nfs {
            path   = "/mnt/main/roundcubemail/enigma"
-            server = "10.0.10.15"
+            server = var.nfs_server
          }
        }
      }