89a6e08245
Phase 1 - Critical Security: - Netbox: move hardcoded DB/superuser passwords to variables - MeshCentral: disable public registration, add Authentik auth - Traefik: disable insecure API dashboard (api.insecure=false) - Traefik: configure forwarded headers with Cloudflare trusted IPs Phase 2 - Security Hardening: - Add security headers middleware (HSTS, X-Frame-Options, nosniff, etc.) - Add Kyverno pod security policies in audit mode (privileged, host namespaces, SYS_ADMIN, trusted registries) - Tighten rate limiting (avg=10, burst=50) - Add Authentik protection to grampsweb Phase 3 - Monitoring & Alerting: - Add critical service alerts (PostgreSQL, MySQL, Redis, Headscale, Authentik, Loki) - Increase Loki retention from 7 to 30 days (720h) - Add predictive PV filling alert (predict_linear) - Re-enable Hackmd and Privatebin down alerts Phase 4 - Reliability: - Add resource requests/limits to Redis, DBaaS, Technitium, Headscale, Vaultwarden, Uptime Kuma - Increase Alloy DaemonSet memory to 512Mi/1Gi Phase 6 - Maintainability: - Extract duplicated tiers locals to terragrunt.hcl generate block (removed from 67 stacks) - Replace hardcoded NFS IP 10.0.10.15 with var.nfs_server (114 instances across 63 files) - Replace hardcoded Redis/PostgreSQL/MySQL/Ollama/mail host references with variables across ~35 stacks - Migrate xray raw ingress resources to ingress_factory modules
73 lines
2.1 KiB
HCL
73 lines
2.1 KiB
HCL
variable "tls_secret_name" {}
|
|
variable "secret_key" {}
|
|
variable "postgres_password" {}
|
|
variable "tier" { type = string }
|
|
variable "redis_host" { type = string }
|
|
|
|
|
|
module "tls_secret" {
|
|
source = "../../../../modules/kubernetes/setup_tls_secret"
|
|
namespace = kubernetes_namespace.authentik.metadata[0].name
|
|
tls_secret_name = var.tls_secret_name
|
|
}
|
|
|
|
resource "kubernetes_namespace" "authentik" {
|
|
metadata {
|
|
name = "authentik"
|
|
labels = {
|
|
tier = var.tier
|
|
"resource-governance/custom-quota" = "true"
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "kubernetes_resource_quota" "authentik" {
|
|
metadata {
|
|
name = "authentik-quota"
|
|
namespace = kubernetes_namespace.authentik.metadata[0].name
|
|
}
|
|
spec {
|
|
hard = {
|
|
"requests.cpu" = "16"
|
|
"requests.memory" = "16Gi"
|
|
"limits.cpu" = "48"
|
|
"limits.memory" = "96Gi"
|
|
pods = "50"
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "helm_release" "authentik" {
|
|
namespace = kubernetes_namespace.authentik.metadata[0].name
|
|
create_namespace = true
|
|
name = "goauthentik"
|
|
|
|
repository = "https://charts.goauthentik.io/"
|
|
chart = "authentik"
|
|
# version = "2025.8.1"
|
|
version = "2025.10.3"
|
|
atomic = true
|
|
timeout = 6000
|
|
|
|
values = [templatefile("${path.module}/values.yaml", { postgres_password = var.postgres_password, secret_key = var.secret_key, redis_host = var.redis_host })]
|
|
}
|
|
|
|
|
|
module "ingress" {
|
|
source = "../../../../modules/kubernetes/ingress_factory"
|
|
namespace = kubernetes_namespace.authentik.metadata[0].name
|
|
name = "authentik"
|
|
service_name = "goauthentik-server"
|
|
tls_secret_name = var.tls_secret_name
|
|
}
|
|
|
|
module "ingress-outpost" {
|
|
source = "../../../../modules/kubernetes/ingress_factory"
|
|
namespace = kubernetes_namespace.authentik.metadata[0].name
|
|
name = "authentik-outpost"
|
|
host = "authentik"
|
|
service_name = "ak-outpost-authentik-embedded-outpost"
|
|
port = 9000
|
|
ingress_path = ["/outpost.goauthentik.io"]
|
|
tls_secret_name = var.tls_secret_name
|
|
}
|