viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
1198 commits 2 branches 0 tags 2.3 GiB
Commit graph

20 commits

Author SHA1 Message Date
Viktor Barzin
f03b8a055b [ci skip] Fix rewrite-body plugin corrupting compressed responses 
The packruler/rewrite-body plugin (used for rybbit analytics injection)
fails to decompress gzip responses with "flate: corrupt input before
offset 5", corrupting the response body. This broke HA Companion app's
external_auth flow and WebSocket connections on ha-sofia.

Fix: add a strip-accept-encoding middleware that removes Accept-Encoding
from requests when rybbit is active, forcing backends to send uncompressed
responses that the plugin can safely process.

Also add extra_middlewares variable to reverse_proxy factory for
extensibility.
 2026-02-11 21:40:11 +00:00
Viktor Barzin
6d6ec0c1e2 [ci skip] Refactor raw ingresses to use ingress_factory module 
Enhance ingress_factory with full_host, extra_middlewares, and
skip_default_rate_limit variables. Fix TLS hosts bug to use
effective_host. Migrate 13 services from raw kubernetes_ingress_v1
resources to centralized ingress_factory module calls, removing
manual rybbit middleware CRDs where the factory now handles them.
 2026-02-10 21:11:46 +00:00
Viktor Barzin
43cdebe791 Migrate ingress_factory from nginx to Traefik annotations 
- Replace nginx ingress class and annotations with Traefik middleware CRDs
- Add Traefik router middleware chain: rate-limit, CSP, CrowdSec, Authentik
- Remove nginx-specific proxy settings (handled by Traefik config)
- Add exclude_crowdsec and custom_content_security_policy options
- Add rybbit analytics and custom CSP middleware resources
 2026-02-07 13:24:58 +00:00
Viktor Barzin
fd4dc96372 Forward authentik response headers through ingress 
Add auth-response-headers annotation to pass user identity headers
(username, uid, email, name, groups) from authentik to backend services.
 2026-02-06 20:26:21 +00:00
Viktor Barzin
c17b481346 disallow my sites from being iframed [ci skip] 2026-01-18 13:41:20 +00:00
Viktor Barzin
7e8f73452c add ipv6 addresses to the ingress factory [ci skip] 2026-01-07 18:54:37 +00:00
Viktor Barzin
c58c577a9c upgrade proxmox provider and some other tf [ci skip] 2025-12-18 11:41:33 +00:00
Viktor Barzin
31af5ec01d add additional confguration for ingress [ci skip] 2025-12-18 10:45:03 +00:00
Viktor Barzin
7afd3e758e add rybbit monitoring to ingresses [ci skip] 2025-12-18 08:53:19 +00:00
Viktor Barzin
4d4075dcf7 increase burst for 429 in ignress factory [ci skip] 2025-12-14 19:08:22 +00:00
Viktor Barzin
554699e712 refactor ingress to add more params [ci skip] 2025-12-14 09:50:15 +00:00
Viktor Barzin
57cbf9543c increase rpm limit to 100 to prevent accidental blocks [ci skip] 2025-12-02 19:24:05 +00:00
Viktor Barzin
f477f6bf9f increase rps to 5 for all ingresses [ci skip] 2025-10-17 23:06:56 +00:00
Viktor Barzin
9fbe6bf73d reduce req limits quite a bit to be on the safe side [ci skip] 2025-10-16 21:11:23 +00:00
Viktor Barzin
f17d73cc62 add crowdsec policies for 403 and 429; use nginx to rate limit brute force attacks and then ban them [ci skip] 2025-10-13 20:12:37 +00:00
Viktor Barzin
5eb8d77590 increaes rpm limit to ingresses 2025-02-02 17:20:43 +00:00
Viktor Barzin
ca9765ebba tune ddos protection settings [ci skip] 2025-01-16 22:49:46 +00:00
Viktor Barzin
7e1a28fb27 add dddos protection in ingress factory [ci skip] 2025-01-16 22:08:19 +00:00
Viktor Barzin
13abb70576 use ingress factory for all hosted ingresses [ci skip] 2025-01-14 22:53:04 +00:00
Viktor Barzin
3b9baa9f47 add ingress factory stub [ci skip] 2025-01-14 20:52:20 +00:00