89a6e08245
Phase 1 - Critical Security: - Netbox: move hardcoded DB/superuser passwords to variables - MeshCentral: disable public registration, add Authentik auth - Traefik: disable insecure API dashboard (api.insecure=false) - Traefik: configure forwarded headers with Cloudflare trusted IPs Phase 2 - Security Hardening: - Add security headers middleware (HSTS, X-Frame-Options, nosniff, etc.) - Add Kyverno pod security policies in audit mode (privileged, host namespaces, SYS_ADMIN, trusted registries) - Tighten rate limiting (avg=10, burst=50) - Add Authentik protection to grampsweb Phase 3 - Monitoring & Alerting: - Add critical service alerts (PostgreSQL, MySQL, Redis, Headscale, Authentik, Loki) - Increase Loki retention from 7 to 30 days (720h) - Add predictive PV filling alert (predict_linear) - Re-enable Hackmd and Privatebin down alerts Phase 4 - Reliability: - Add resource requests/limits to Redis, DBaaS, Technitium, Headscale, Vaultwarden, Uptime Kuma - Increase Alloy DaemonSet memory to 512Mi/1Gi Phase 6 - Maintainability: - Extract duplicated tiers locals to terragrunt.hcl generate block (removed from 67 stacks) - Replace hardcoded NFS IP 10.0.10.15 with var.nfs_server (114 instances across 63 files) - Replace hardcoded Redis/PostgreSQL/MySQL/Ollama/mail host references with variables across ~35 stacks - Migrate xray raw ingress resources to ingress_factory modules
200 lines
4.9 KiB
HCL
200 lines
4.9 KiB
HCL
variable "tls_secret_name" { type = string }
|
|
variable "webhook_handler_secret" { type = string }
|
|
variable "webhook_handler_fb_verify_token" { type = string }
|
|
variable "webhook_handler_fb_page_token" { type = string }
|
|
variable "webhook_handler_fb_app_secret" { type = string }
|
|
variable "webhook_handler_git_user" { type = string }
|
|
variable "webhook_handler_git_token" { type = string }
|
|
variable "webhook_handler_ssh_key" { type = string }
|
|
|
|
|
|
resource "kubernetes_namespace" "webhook-handler" {
|
|
metadata {
|
|
name = "webhook-handler"
|
|
labels = {
|
|
tier = local.tiers.aux
|
|
}
|
|
}
|
|
}
|
|
|
|
module "tls_secret" {
|
|
source = "../../modules/kubernetes/setup_tls_secret"
|
|
namespace = kubernetes_namespace.webhook-handler.metadata[0].name
|
|
tls_secret_name = var.tls_secret_name
|
|
}
|
|
|
|
resource "kubernetes_cluster_role" "deployment_updater" {
|
|
metadata {
|
|
name = "deployment-updater"
|
|
}
|
|
|
|
rule {
|
|
verbs = ["create", "update", "get", "patch", "list"]
|
|
api_groups = ["extensions", "apps", ""]
|
|
resources = ["deployments", "namespaces", "pods", "services"]
|
|
}
|
|
}
|
|
|
|
resource "kubernetes_cluster_role_binding" "update_deployment_binding" {
|
|
metadata {
|
|
name = "update-deployment-binding"
|
|
}
|
|
|
|
subject {
|
|
kind = "ServiceAccount"
|
|
name = "default"
|
|
namespace = kubernetes_namespace.webhook-handler.metadata[0].name
|
|
}
|
|
|
|
role_ref {
|
|
api_group = "rbac.authorization.k8s.io"
|
|
kind = "ClusterRole"
|
|
name = "deployment-updater"
|
|
}
|
|
}
|
|
|
|
|
|
resource "kubernetes_secret" "ssh-key" {
|
|
metadata {
|
|
name = "ssh-key"
|
|
namespace = kubernetes_namespace.webhook-handler.metadata[0].name
|
|
|
|
annotations = {
|
|
"reloader.stakater.com/match" = "true"
|
|
}
|
|
}
|
|
data = {
|
|
"id_rsa" = var.webhook_handler_ssh_key
|
|
}
|
|
type = "generic"
|
|
}
|
|
resource "kubernetes_deployment" "webhook_handler" {
|
|
metadata {
|
|
name = "webhook-handler"
|
|
namespace = kubernetes_namespace.webhook-handler.metadata[0].name
|
|
labels = {
|
|
app = "webhook-handler"
|
|
tier = local.tiers.aux
|
|
}
|
|
annotations = {
|
|
"reloader.stakater.com/search" = "true"
|
|
}
|
|
}
|
|
spec {
|
|
replicas = 1
|
|
selector {
|
|
match_labels = {
|
|
app = "webhook-handler"
|
|
}
|
|
}
|
|
template {
|
|
metadata {
|
|
labels = {
|
|
app = "webhook-handler"
|
|
}
|
|
}
|
|
spec {
|
|
container {
|
|
# security_context {
|
|
# run_as_user = 1000
|
|
# }
|
|
# lifecycle {
|
|
# post_start {
|
|
# exec {
|
|
# # Must be kept in sycn with webhook_handler dockerfile
|
|
# command = ["echo", "\"$SSH_KEY\"", ">", "/opt/id_rsa", "&&", "chown", "appuser", "/opt/id_rsa", "&&", "chmod", "600", "/opt/id_rsa"]
|
|
# }
|
|
# }
|
|
# }
|
|
image = "viktorbarzin/webhook-handler:latest"
|
|
name = "webhook-handler"
|
|
resources {
|
|
limits = {
|
|
cpu = "0.5"
|
|
memory = "512Mi"
|
|
}
|
|
requests = {
|
|
cpu = "250m"
|
|
memory = "50Mi"
|
|
}
|
|
}
|
|
port {
|
|
container_port = 80
|
|
}
|
|
volume_mount {
|
|
name = "id-rsa"
|
|
mount_path = "/opt/id_rsa"
|
|
sub_path = "id_rsa"
|
|
}
|
|
env {
|
|
name = "WEBHOOKSECRET"
|
|
value = var.webhook_handler_secret
|
|
}
|
|
env {
|
|
name = "FB_APP_SECRET"
|
|
value = var.webhook_handler_fb_app_secret
|
|
}
|
|
env {
|
|
name = "FB_VERIFY_TOKEN"
|
|
value = var.webhook_handler_fb_verify_token
|
|
}
|
|
env {
|
|
name = "FB_PAGE_TOKEN"
|
|
value = var.webhook_handler_fb_page_token
|
|
}
|
|
env {
|
|
name = "CONFIG"
|
|
value = "./chatbot/config/viktorwebservices.yaml"
|
|
}
|
|
env {
|
|
name = "GIT_USER"
|
|
value = var.webhook_handler_git_user
|
|
}
|
|
env {
|
|
name = "GIT_TOKEN"
|
|
value = var.webhook_handler_git_token
|
|
}
|
|
env {
|
|
name = "SSH_KEY"
|
|
value = "/opt/id_rsa"
|
|
}
|
|
}
|
|
volume {
|
|
name = "id-rsa"
|
|
secret {
|
|
secret_name = "ssh-key"
|
|
}
|
|
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "kubernetes_service" "webhook_handler" {
|
|
metadata {
|
|
name = "webhook-handler"
|
|
namespace = kubernetes_namespace.webhook-handler.metadata[0].name
|
|
labels = {
|
|
"app" = "webhook-handler"
|
|
}
|
|
}
|
|
|
|
spec {
|
|
selector = {
|
|
app = "webhook-handler"
|
|
}
|
|
port {
|
|
port = "80"
|
|
target_port = "3000"
|
|
}
|
|
}
|
|
}
|
|
|
|
module "ingress" {
|
|
source = "../../modules/kubernetes/ingress_factory"
|
|
namespace = kubernetes_namespace.webhook-handler.metadata[0].name
|
|
name = "webhook-handler"
|
|
host = "webhook"
|
|
tls_secret_name = var.tls_secret_name
|
|
}
|