2d919c4d34
Phase 1 - Critical Security: - Netbox: move hardcoded DB/superuser passwords to variables - MeshCentral: disable public registration, add Authentik auth - Traefik: disable insecure API dashboard (api.insecure=false) - Traefik: configure forwarded headers with Cloudflare trusted IPs Phase 2 - Security Hardening: - Add security headers middleware (HSTS, X-Frame-Options, nosniff, etc.) - Add Kyverno pod security policies in audit mode (privileged, host namespaces, SYS_ADMIN, trusted registries) - Tighten rate limiting (avg=10, burst=50) - Add Authentik protection to grampsweb Phase 3 - Monitoring & Alerting: - Add critical service alerts (PostgreSQL, MySQL, Redis, Headscale, Authentik, Loki) - Increase Loki retention from 7 to 30 days (720h) - Add predictive PV filling alert (predict_linear) - Re-enable Hackmd and Privatebin down alerts Phase 4 - Reliability: - Add resource requests/limits to Redis, DBaaS, Technitium, Headscale, Vaultwarden, Uptime Kuma - Increase Alloy DaemonSet memory to 512Mi/1Gi Phase 6 - Maintainability: - Extract duplicated tiers locals to terragrunt.hcl generate block (removed from 67 stacks) - Replace hardcoded NFS IP 10.0.10.15 with var.nfs_server (114 instances across 63 files) - Replace hardcoded Redis/PostgreSQL/MySQL/Ollama/mail host references with variables across ~35 stacks - Migrate xray raw ingress resources to ingress_factory modules
50 lines
1.4 KiB
YAML
50 lines
1.4 KiB
YAML
server:
|
|
enabled: true
|
|
statefulSet:
|
|
replicaCount: 1
|
|
image:
|
|
registry: docker.io
|
|
repository: woodpeckerci/woodpecker-server
|
|
tag: "v3.13.0"
|
|
env:
|
|
WOODPECKER_HOST: "https://ci.viktorbarzin.me"
|
|
WOODPECKER_ADMIN: "ViktorBarzin"
|
|
WOODPECKER_OPEN: "false"
|
|
WOODPECKER_GITHUB: "true"
|
|
WOODPECKER_GITHUB_CLIENT: "${github_client_id}"
|
|
WOODPECKER_GITHUB_SECRET: "${github_client_secret}"
|
|
WOODPECKER_AGENT_SECRET: "${agent_secret}"
|
|
WOODPECKER_DATABASE_DRIVER: "postgres"
|
|
WOODPECKER_DATABASE_DATASOURCE: "postgres://woodpecker:${db_password}@${postgresql_host}:5432/woodpecker?sslmode=disable"
|
|
WOODPECKER_PLUGINS_PRIVILEGED: "woodpeckerci/plugin-docker-buildx,plugins/docker"
|
|
WOODPECKER_PLUGINS_TRUSTED_CLONE: "woodpeckerci/plugin-git,alpine"
|
|
WOODPECKER_LOG_LEVEL: "info"
|
|
service:
|
|
type: ClusterIP
|
|
port: 80
|
|
# Disable built-in ingress (using ingress_factory)
|
|
ingress:
|
|
enabled: false
|
|
# Disable PVC (using PostgreSQL instead of SQLite)
|
|
persistence:
|
|
enabled: false
|
|
|
|
agent:
|
|
enabled: true
|
|
replicaCount: 2
|
|
image:
|
|
registry: docker.io
|
|
repository: woodpeckerci/woodpecker-agent
|
|
tag: "v3.13.0"
|
|
env:
|
|
WOODPECKER_BACKEND: "kubernetes"
|
|
WOODPECKER_BACKEND_K8S_NAMESPACE: "woodpecker"
|
|
WOODPECKER_MAX_WORKFLOWS: "2"
|
|
WOODPECKER_AGENT_SECRET: "${agent_secret}"
|
|
persistence:
|
|
enabled: false
|
|
rbac:
|
|
create: true
|
|
serviceAccount:
|
|
create: true
|
|
name: "woodpecker-agent"
|