89a6e08245
Phase 1 - Critical Security: - Netbox: move hardcoded DB/superuser passwords to variables - MeshCentral: disable public registration, add Authentik auth - Traefik: disable insecure API dashboard (api.insecure=false) - Traefik: configure forwarded headers with Cloudflare trusted IPs Phase 2 - Security Hardening: - Add security headers middleware (HSTS, X-Frame-Options, nosniff, etc.) - Add Kyverno pod security policies in audit mode (privileged, host namespaces, SYS_ADMIN, trusted registries) - Tighten rate limiting (avg=10, burst=50) - Add Authentik protection to grampsweb Phase 3 - Monitoring & Alerting: - Add critical service alerts (PostgreSQL, MySQL, Redis, Headscale, Authentik, Loki) - Increase Loki retention from 7 to 30 days (720h) - Add predictive PV filling alert (predict_linear) - Re-enable Hackmd and Privatebin down alerts Phase 4 - Reliability: - Add resource requests/limits to Redis, DBaaS, Technitium, Headscale, Vaultwarden, Uptime Kuma - Increase Alloy DaemonSet memory to 512Mi/1Gi Phase 6 - Maintainability: - Extract duplicated tiers locals to terragrunt.hcl generate block (removed from 67 stacks) - Replace hardcoded NFS IP 10.0.10.15 with var.nfs_server (114 instances across 63 files) - Replace hardcoded Redis/PostgreSQL/MySQL/Ollama/mail host references with variables across ~35 stacks - Migrate xray raw ingress resources to ingress_factory modules
65 lines
1.3 KiB
YAML
65 lines
1.3 KiB
YAML
nextcloud:
|
|
host: nextcloud.viktorbarzin.me
|
|
trustedDomains:
|
|
- nextcloud.viktorbarzin.me
|
|
# mail:
|
|
# enabled: true
|
|
# # the user we send email as
|
|
# fromAddress: nextcloud@viktorbarzin.me
|
|
# # the domain we send email from
|
|
# domain: viktorbarzin.me
|
|
# smtp:
|
|
# host: mail.viktorbarzin.me
|
|
# secure: starttls
|
|
# port: 587
|
|
# authtype: LOGIN
|
|
# name: nextcloud@viktorbarzin.me
|
|
# password:
|
|
extraEnv:
|
|
- name: TRUSTED_PROXIES
|
|
value: "10.0.0.0/8"
|
|
# - name: mail_smtpdebug
|
|
# value: "true"
|
|
# - name: loglevel
|
|
# value: "0"
|
|
|
|
# internalDatabase:
|
|
# enabled: false
|
|
|
|
externalRedis:
|
|
enabled: true
|
|
host: ${redis_host}
|
|
|
|
# Currently not in use; we use the nextcloud.db sqlite3
|
|
externalDatabase:
|
|
enabled: false
|
|
type: mysql
|
|
host: ${mysql_host}
|
|
user: nextcloud
|
|
password: ${db_password}
|
|
databse: nextcloud
|
|
|
|
persistence:
|
|
enabled: true
|
|
existingClaim: nextcloud-data-pvc
|
|
|
|
accessMode: ReadWriteOnce
|
|
size: 100Gi
|
|
|
|
startupProbe:
|
|
enabled: true
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 30
|
|
successThreshold: 1
|
|
|
|
podAnnotations:
|
|
diun.enable: "true"
|
|
diun.include_tags: "^[0-9]+(?:.[0-9]+)?(?:.[0-9]+)?.*"
|
|
|
|
collabora:
|
|
enabled: false # Using onlyoffice instead
|
|
|
|
cronjob:
|
|
enabled: true
|