viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
1540 commits 2 branches 0 tags 2.3 GiB
Commit graph

20 commits

Author SHA1 Message Date
Viktor Barzin
220f4a18b7
[ci skip] Fix rewrite-body plugin corrupting compressed responses 
The packruler/rewrite-body plugin (used for rybbit analytics injection)
fails to decompress gzip responses with "flate: corrupt input before
offset 5", corrupting the response body. This broke HA Companion app's
external_auth flow and WebSocket connections on ha-sofia.

Fix: add a strip-accept-encoding middleware that removes Accept-Encoding
from requests when rybbit is active, forcing backends to send uncompressed
responses that the plugin can safely process.

Also add extra_middlewares variable to reverse_proxy factory for
extensibility.
 2026-02-11 21:40:11 +00:00
Viktor Barzin
348d706a48
[ci skip] Refactor raw ingresses to use ingress_factory module 
Enhance ingress_factory with full_host, extra_middlewares, and
skip_default_rate_limit variables. Fix TLS hosts bug to use
effective_host. Migrate 13 services from raw kubernetes_ingress_v1
resources to centralized ingress_factory module calls, removing
manual rybbit middleware CRDs where the factory now handles them.
 2026-02-10 21:11:46 +00:00
Viktor Barzin
0315dd4044
Migrate ingress_factory from nginx to Traefik annotations 
- Replace nginx ingress class and annotations with Traefik middleware CRDs
- Add Traefik router middleware chain: rate-limit, CSP, CrowdSec, Authentik
- Remove nginx-specific proxy settings (handled by Traefik config)
- Add exclude_crowdsec and custom_content_security_policy options
- Add rybbit analytics and custom CSP middleware resources
 2026-02-07 13:24:58 +00:00
Viktor Barzin
27c8d60555 Forward authentik response headers through ingress 
Add auth-response-headers annotation to pass user identity headers
(username, uid, email, name, groups) from authentik to backend services.
 2026-02-06 20:26:21 +00:00
Viktor Barzin
cc419c68b7
disallow my sites from being iframed [ci skip] 2026-01-18 13:41:20 +00:00
Viktor Barzin
38379e9b06
add ipv6 addresses to the ingress factory [ci skip] 2026-01-07 18:54:37 +00:00
Viktor Barzin
c26b03a4b3
upgrade proxmox provider and some other tf [ci skip] 2025-12-18 11:41:33 +00:00
Viktor Barzin
30732a3447
add additional confguration for ingress [ci skip] 2025-12-18 10:45:03 +00:00
Viktor Barzin
d51e0f7aaf
add rybbit monitoring to ingresses [ci skip] 2025-12-18 08:53:19 +00:00
Viktor Barzin
9b20c79212
increase burst for 429 in ignress factory [ci skip] 2025-12-14 19:08:22 +00:00
Viktor Barzin
ce63f0fb3a refactor ingress to add more params [ci skip] 2025-12-14 09:50:15 +00:00
Viktor Barzin
7b275a413c
increase rpm limit to 100 to prevent accidental blocks [ci skip] 2025-12-02 19:24:05 +00:00
Viktor Barzin
32e90e2a2f
increase rps to 5 for all ingresses [ci skip] 2025-10-17 23:06:56 +00:00
Viktor Barzin
5ce7462b2c
reduce req limits quite a bit to be on the safe side [ci skip] 2025-10-16 21:11:23 +00:00
Viktor Barzin
13b7c880e5
add crowdsec policies for 403 and 429; use nginx to rate limit brute force attacks and then ban them [ci skip] 2025-10-13 20:12:37 +00:00
Viktor Barzin
d700daf61d
increaes rpm limit to ingresses 2025-02-02 17:20:43 +00:00
Viktor Barzin
f18509db98
tune ddos protection settings [ci skip] 2025-01-16 22:49:46 +00:00
Viktor Barzin
88aba518e3
add dddos protection in ingress factory [ci skip] 2025-01-16 22:08:19 +00:00
Viktor Barzin
d0e68769e7
use ingress factory for all hosted ingresses [ci skip] 2025-01-14 22:53:04 +00:00
Viktor Barzin
8713946352
add ingress factory stub [ci skip] 2025-01-14 20:52:20 +00:00