[ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability

Phase 1 - Critical Security: - Netbox: move hardcoded DB/superuser passwords to variables - MeshCentral: disable public registration, add Authentik auth - Traefik: disable insecure API dashboard (api.insecure=false) - Traefik: configure forwarded headers with Cloudflare trusted IPs Phase 2 - Security Hardening: - Add security headers middleware (HSTS, X-Frame-Options, nosniff, etc.) - Add Kyverno pod security policies in audit mode (privileged, host namespaces, SYS_ADMIN, trusted registries) - Tighten rate limiting (avg=10, burst=50) - Add Authentik protection to grampsweb Phase 3 - Monitoring & Alerting: - Add critical service alerts (PostgreSQL, MySQL, Redis, Headscale, Authentik, Loki) - Increase Loki retention from 7 to 30 days (720h) - Add predictive PV filling alert (predict_linear) - Re-enable Hackmd and Privatebin down alerts Phase 4 - Reliability: - Add resource requests/limits to Redis, DBaaS, Technitium, Headscale, Vaultwarden, Uptime Kuma - Increase Alloy DaemonSet memory to 512Mi/1Gi Phase 6 - Maintainability: - Extract duplicated tiers locals to terragrunt.hcl generate block (removed from 67 stacks) - Replace hardcoded NFS IP 10.0.10.15 with var.nfs_server (114 instances across 63 files) - Replace hardcoded Redis/PostgreSQL/MySQL/Ollama/mail host references with variables across ~35 stacks - Migrate xray raw ingress resources to ingress_factory modules
2026-02-23 22:05:28 +00:00 · 2026-02-23 22:05:28 +00:00 · 89a6e08245
commit 89a6e08245
parent 1b4737c90c
104 changed files with 773 additions and 920 deletions
--- a/stacks/platform/modules/xray/main.tf
+++ b/stacks/platform/modules/xray/main.tf
@ -186,109 +186,36 @@ resource "kubernetes_service" "xray-reality" {
  }
 }

-resource "kubernetes_ingress_v1" "ingress" {
-  metadata {
-    namespace = kubernetes_namespace.xray.metadata[0].name
-    name      = "xray"
-    annotations = {
-      "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd"
-      "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure"
-    }
-  }
+module "ingress_ws" {
+  source          = "../../../../modules/kubernetes/ingress_factory"
+  namespace       = kubernetes_namespace.xray.metadata[0].name
+  name            = "xray-ws"
+  service_name    = "xray"
+  host            = "xray-ws"
+  port            = 8443
+  tls_secret_name = var.tls_secret_name
+}

-  spec {
-    ingress_class_name = "traefik"
-    tls {
-      hosts       = ["xray-ws.viktorbarzin.me"]
-      secret_name = var.tls_secret_name
-    }
-    rule {
-      host = "xray-ws.viktorbarzin.me"
-      http {
-        path {
-          backend {
-            service {
-              name = "xray"
-              port {
-                number = 8443
-
-              }
-            }
-          }
-        }
-      }
-    }
+module "ingress_grpc" {
+  source          = "../../../../modules/kubernetes/ingress_factory"
+  namespace       = kubernetes_namespace.xray.metadata[0].name
+  name            = "xray-grpc"
+  service_name    = "xray"
+  host            = "xray-grpc"
+  port            = 9443
+  tls_secret_name = var.tls_secret_name
+  ingress_path    = ["/grpc-vpn"]
+  extra_annotations = {
+    "traefik.ingress.kubernetes.io/service.serversscheme" = "h2c"
  }
 }

-resource "kubernetes_ingress_v1" "ingress-grpc" {
-  metadata {
-    namespace = kubernetes_namespace.xray.metadata[0].name
-    name      = "xray-grpc"
-    annotations = {
-      "traefik.ingress.kubernetes.io/router.middlewares"    = "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd"
-      "traefik.ingress.kubernetes.io/router.entrypoints"    = "websecure"
-      "traefik.ingress.kubernetes.io/service.serversscheme" = "h2c"
-    }
-  }
-
-  spec {
-    ingress_class_name = "traefik"
-    tls {
-      hosts       = ["xray-grpc.viktorbarzin.me"]
-      secret_name = var.tls_secret_name
-    }
-    rule {
-      host = "xray-grpc.viktorbarzin.me"
-      http {
-        path {
-          path      = "/grpc-vpn"
-          path_type = "Prefix"
-          backend {
-            service {
-              name = "xray"
-              port {
-                number = 9443
-              }
-            }
-          }
-        }
-      }
-    }
-  }
-}
-
-resource "kubernetes_ingress_v1" "ingress-vless" {
-  metadata {
-    namespace = kubernetes_namespace.xray.metadata[0].name
-    name      = "xray-vless"
-    annotations = {
-      "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd"
-      "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure"
-    }
-  }
-
-  spec {
-    ingress_class_name = "traefik"
-    tls {
-      hosts       = ["xray-vless.viktorbarzin.me"]
-      secret_name = var.tls_secret_name
-    }
-    rule {
-      host = "xray-vless.viktorbarzin.me"
-      http {
-        path {
-          backend {
-            service {
-              name = "xray"
-              port {
-                number = 6443
-
-              }
-            }
-          }
-        }
-      }
-    }
-  }
+module "ingress_vless" {
+  source          = "../../../../modules/kubernetes/ingress_factory"
+  namespace       = kubernetes_namespace.xray.metadata[0].name
+  name            = "xray-vless"
+  service_name    = "xray"
+  host            = "xray-vless"
+  port            = 6443
+  tls_secret_name = var.tls_secret_name
 }