viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/stacks
History
Viktor Barzin 89a6e08245 [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 
Phase 1 - Critical Security:
- Netbox: move hardcoded DB/superuser passwords to variables
- MeshCentral: disable public registration, add Authentik auth
- Traefik: disable insecure API dashboard (api.insecure=false)
- Traefik: configure forwarded headers with Cloudflare trusted IPs

Phase 2 - Security Hardening:
- Add security headers middleware (HSTS, X-Frame-Options, nosniff, etc.)
- Add Kyverno pod security policies in audit mode (privileged, host
  namespaces, SYS_ADMIN, trusted registries)
- Tighten rate limiting (avg=10, burst=50)
- Add Authentik protection to grampsweb

Phase 3 - Monitoring & Alerting:
- Add critical service alerts (PostgreSQL, MySQL, Redis, Headscale,
  Authentik, Loki)
- Increase Loki retention from 7 to 30 days (720h)
- Add predictive PV filling alert (predict_linear)
- Re-enable Hackmd and Privatebin down alerts

Phase 4 - Reliability:
- Add resource requests/limits to Redis, DBaaS, Technitium, Headscale,
  Vaultwarden, Uptime Kuma
- Increase Alloy DaemonSet memory to 512Mi/1Gi

Phase 6 - Maintainability:
- Extract duplicated tiers locals to terragrunt.hcl generate block
  (removed from 67 stacks)
- Replace hardcoded NFS IP 10.0.10.15 with var.nfs_server (114
  instances across 63 files)
- Replace hardcoded Redis/PostgreSQL/MySQL/Ollama/mail host references
  with variables across ~35 stacks
- Migrate xray raw ingress resources to ingress_factory modules
2026-02-23 22:05:28 +00:00
..
actualbudget [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
affine [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
audiobookshelf [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
blog [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
calibre [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
changedetection [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
city-guesser [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
coturn [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
cyberchef [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
dashy [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
dawarich [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
descheduler [ci skip] Flatten module wrappers into stack roots 2026-02-22 15:13:55 +00:00
diun [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
ebook2audiobook [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
echo [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
excalidraw [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
f1-stream [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
forgejo [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
freedify [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
freshrss [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
frigate [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
grampsweb [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
hackmd [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
health [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
homepage [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
immich [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
infra [ci skip] Rebuild docker-registry with nginx serialization on all ports 2026-02-22 21:45:53 +00:00
isponsorblocktv [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
jsoncrack [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
k8s-dashboard [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
kms [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
linkwarden [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
matrix [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
meshcentral [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
n8n [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
navidrome [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
netbox [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
networking-toolbox [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
nextcloud [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
ntfy [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
ollama [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
onlyoffice [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
openclaw [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
osm_routing [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
owntracks [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
paperless-ngx [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
platform [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
plotting-book [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
poison-fountain [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
privatebin [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
real-estate-crawler [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
reloader [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
resume [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
rybbit [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
send [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
servarr [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
shadowsocks [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
speedtest [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
stirling-pdf [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
tandoor [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
tor-proxy [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
travel_blog [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
tuya-bridge [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
url [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
wealthfolio [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
webhook_handler [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
whisper [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
woodpecker [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00
ytdlp [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 2026-02-23 22:05:28 +00:00