[ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability

Phase 1 - Critical Security: - Netbox: move hardcoded DB/superuser passwords to variables - MeshCentral: disable public registration, add Authentik auth - Traefik: disable insecure API dashboard (api.insecure=false) - Traefik: configure forwarded headers with Cloudflare trusted IPs Phase 2 - Security Hardening: - Add security headers middleware (HSTS, X-Frame-Options, nosniff, etc.) - Add Kyverno pod security policies in audit mode (privileged, host namespaces, SYS_ADMIN, trusted registries) - Tighten rate limiting (avg=10, burst=50) - Add Authentik protection to grampsweb Phase 3 - Monitoring & Alerting: - Add critical service alerts (PostgreSQL, MySQL, Redis, Headscale, Authentik, Loki) - Increase Loki retention from 7 to 30 days (720h) - Add predictive PV filling alert (predict_linear) - Re-enable Hackmd and Privatebin down alerts Phase 4 - Reliability: - Add resource requests/limits to Redis, DBaaS, Technitium, Headscale, Vaultwarden, Uptime Kuma - Increase Alloy DaemonSet memory to 512Mi/1Gi Phase 6 - Maintainability: - Extract duplicated tiers locals to terragrunt.hcl generate block (removed from 67 stacks) - Replace hardcoded NFS IP 10.0.10.15 with var.nfs_server (114 instances across 63 files) - Replace hardcoded Redis/PostgreSQL/MySQL/Ollama/mail host references with variables across ~35 stacks - Migrate xray raw ingress resources to ingress_factory modules
2026-02-23 22:05:28 +00:00 · 2026-02-23 22:05:28 +00:00 · 89a6e08245
commit 89a6e08245
parent 1b4737c90c
104 changed files with 773 additions and 920 deletions
--- a/stacks/platform/modules/traefik/main.tf
+++ b/stacks/platform/modules/traefik/main.tf
@ -80,7 +80,7 @@ resource "helm_release" "traefik" {

    # Enable dashboard API (accessible on port 8080 internally)
    api = {
-      insecure = true
+      insecure = false
    }

    # Entrypoints
@ -174,7 +174,6 @@ resource "helm_release" "traefik" {
    }

    additionalArguments = [
-      "--api.insecure=true",
      "--global.checknewversion=false",
      "--global.sendanonymoususage=false",
      # Skip TLS verification for self-signed backend certs (proxmox, idrac, etc.)
@ -184,8 +183,10 @@ resource "helm_release" "traefik" {
      "--serversTransport.forwardingTimeouts.responseHeaderTimeout=0s",
      "--serversTransport.forwardingTimeouts.idleConnTimeout=90s",
      # Use forwarded headers from trusted proxies
-      "--entryPoints.websecure.forwardedHeaders.insecure=true",
-      "--entryPoints.web.forwardedHeaders.insecure=true",
+      "--entryPoints.websecure.forwardedHeaders.insecure=false",
+      "--entryPoints.web.forwardedHeaders.insecure=false",
+      "--entryPoints.websecure.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22,10.0.0.0/8,192.168.0.0/16",
+      "--entryPoints.web.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22,10.0.0.0/8,192.168.0.0/16",
    ]

    resources = {
--- a/stacks/platform/modules/traefik/middleware.tf
+++ b/stacks/platform/modules/traefik/middleware.tf
@ -13,8 +13,8 @@ resource "kubernetes_manifest" "middleware_rate_limit" {
    }
    spec = {
      rateLimit = {
-        average = 5
-        burst   = 250
+        average = 10
+        burst   = 50
      }
    }
  }
@ -113,6 +113,31 @@ resource "kubernetes_manifest" "middleware_csp_headers" {
  depends_on = [helm_release.traefik]
 }

+# Security headers middleware (HSTS, X-Frame-Options, etc.)
+resource "kubernetes_manifest" "middleware_security_headers" {
+  manifest = {
+    apiVersion = "traefik.io/v1alpha1"
+    kind       = "Middleware"
+    metadata = {
+      name      = "security-headers"
+      namespace = kubernetes_namespace.traefik.metadata[0].name
+    }
+    spec = {
+      headers = {
+        stsSeconds           = 31536000
+        stsIncludeSubdomains = true
+        frameDeny            = true
+        contentTypeNosniff   = true
+        browserXssFilter     = true
+        referrerPolicy       = "strict-origin-when-cross-origin"
+        permissionsPolicy    = "camera=(), microphone=(), geolocation=()"
+      }
+    }
+  }
+
+  depends_on = [helm_release.traefik]
+}
+
 # CrowdSec bouncer plugin middleware
 resource "kubernetes_manifest" "middleware_crowdsec" {
  manifest = {