davide/fleet-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
34 Commits 1 Branch 0 Tags
main
Commit Graph

34 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Davide Piu
779ed3d563 remove trivy-operator 2026-02-20 00:36:50 +00:00
Davide Piu
b95a574d73 remove velero 2026-02-20 00:18:38 +00:00
Davide Piu
5e55c0e277 encrypt crowdsec bouncer key with SOPS + variable substitution 2026-02-20 00:17:40 +00:00
Davide Piu
75f8c6d5d8 fix: correct CrowdSec LAPI service name for bouncer 2026-02-19 23:54:16 +00:00
Davide Piu
d19ede0559 feat: enable CrowdSec Traefik bouncer on all ingresses 
- Add Traefik plugin via HelmChartConfig (crowdsec-bouncer-traefik-plugin)
- Create bouncer Middleware in stream mode
- Apply bouncer to all public ingresses
- IPs flagged by CrowdSec will now be blocked at Traefik level
 2026-02-19 23:53:00 +00:00
Davide Piu
d628dd2c67 fix: allow CrowdSec intra-namespace traffic (agent -> LAPI) 2026-02-19 23:49:57 +00:00
Davide Piu
129efb39ad fix: revert to one_factor - 2FA needs SMTP notifier to work 2026-02-19 23:45:13 +00:00
Davide Piu
133312a284 feat: replace Uptime Kuma with Gatus 
- Remove uptime-kuma (heavier, requires manual config)
- Add Gatus (lightweight, config-as-code)
- Monitor all services: Gitea, Podinfo, Vaultwarden, Authelia, Flux, K8s API
- Protected by Authelia ForwardAuth
- status.davidepiu.xyz
 2026-02-19 23:43:53 +00:00
Davide Piu
dd74cc05fd fix: Velero kubectl image and AWS plugin version 
- kubectl: use bitnami/kubectl instead of deprecated bitnamilegacy/kubectl
- AWS plugin: use v1.11.0 (v1.13.1 does not exist)
 2026-02-19 23:31:48 +00:00
Davide Piu
08eb8255a8 sec: new Authelia password + enforce 2FA for all services 
- Generate new unique password for Authelia (not shared with Gitea)
- Change access_control default_policy to two_factor
- Re-encrypt authelia-users secret with SOPS
 2026-02-19 23:24:26 +00:00
Davide Piu
51bcdebca8 feat: add SOPS encrypted secrets and enable Flux decryption 
- Add .sops.yaml config with age public key
- Encrypt authelia-users, authelia-secrets, vaultwarden-admin
- Enable SOPS decryption in Flux Kustomization (gotk-sync.yaml)
- Secrets are now safe to store in git (encrypted with age)
 2026-02-19 23:20:58 +00:00
Davide Piu
914890b339 feat: protect Uptime Kuma and Weave GitOps with Authelia ForwardAuth 
- Add Traefik ForwardAuth middleware pointing to Authelia
- Apply to status.davidepiu.xyz and flux.davidepiu.xyz
- Users must login via auth.davidepiu.xyz before accessing these services
 2026-02-19 23:18:38 +00:00
Davide Piu
bc89216548 fix: allow ACME solver port 8089 in Authelia NetworkPolicy 
Same fix as flux-system: Traefik needs to reach the cert-manager
ACME HTTP-01 solver pod on port 8089 for TLS certificate issuance.
 2026-02-19 23:13:32 +00:00
Davide Piu
a5c1772e4e fix: mount users_database.yml in Authelia pod 
Mount the authelia-users Secret as volume at /config/users_database.yml
so Authelia can authenticate user davide.
 2026-02-19 23:10:57 +00:00
Davide Piu
0d0fd95991 feat: deploy Wave 2 - CrowdSec + Velero 
- CrowdSec: LAPI + Agent with containerd runtime, Traefik log acquisition
- Velero: with AWS plugin, placeholder BSL (needs S3 storage config later)
- Both with reduced resources for 4GB VPS
 2026-02-19 23:06:26 +00:00
Davide Piu
d59ac2a933 sec: disable Vaultwarden open signups, add admin token 
- signupsAllowed: false - prevents public registration
- invitationsAllowed: false - prevents invitation abuse
- adminToken from Secret for /admin panel access
 2026-02-19 22:58:29 +00:00
Davide Piu
b69cc16002 fix: remove Authelia default_redirection_url conflicting with authelia_url 2026-02-19 22:56:50 +00:00
Davide Piu
98e073ad82 fix: correct Authelia and Trivy Operator chart values 
- Authelia: remove invalid server.address, use chart auto-generated secrets
- Trivy: use clusterComplianceEnabled=false instead of empty cron
 2026-02-19 22:49:35 +00:00
Davide Piu
c2a803d28b feat: deploy Wave 1 - Vaultwarden, Uptime Kuma, Trivy Operator, Authelia 
GitOps manifests for security stack Wave 1:
- Vaultwarden (vault.davidepiu.xyz) - password manager
- Uptime Kuma (status.davidepiu.xyz) - uptime monitoring
- Trivy Operator - vulnerability scanning
- Authelia (auth.davidepiu.xyz) - SSO + 2FA

All with NetworkPolicies for Traefik ingress.
 2026-02-19 22:44:34 +00:00
davide
232957ac4a Fix podinfo manifest - correct resource names 2026-02-19 22:05:11 +00:00
davide
5f396f9b4f Fix podinfo service name in Ingress 2026-02-19 22:02:33 +00:00
davide
e37a076f12 Fix podinfo: create namespace before Ingress 2026-02-19 22:01:19 +00:00
davide
06999bc9c9 Replace Online Boutique with podinfo 2026-02-19 21:56:55 +00:00
davide
ecad6a561f Add HTTP to HTTPS redirect for all ingresses 2026-02-19 21:51:24 +00:00
Davide Piu
4d08d945a4 Add NetworkPolicy to allow Traefik ingress into flux-system namespace 
Without this policy, Flux default NetworkPolicies block traffic from kube-system
(where Traefik runs) to flux-system, causing 502 errors for both the weave-gitops
dashboard and cert-manager ACME HTTP-01 solver pods.
 2026-02-19 21:47:16 +00:00
davide
b2f825fcd6 Add password hash for Weave GitOps 2026-02-19 21:11:05 +00:00
davide
af2cd6d00d Add Weave GitOps dashboard + Online Boutique Ingress via GitOps 2026-02-19 21:08:20 +00:00
davide
3795c1a3f2 Fix camelCase keys for Online Boutique values 2026-02-19 20:57:36 +00:00
davide
74d6898af7 Reduce resource requests for 2-core VPS 2026-02-19 20:52:45 +00:00
davide
a0aa4ea137 Fix Online Boutique: use GitRepository source 2026-02-19 20:49:26 +00:00
davide
842b63b45a Add Online Boutique HelmRelease 2026-02-19 20:47:07 +00:00
Flux
b38b383ca6 Add Flux sync manifests 2026-02-19 20:46:12 +00:00
Flux
05f0b1f436 Add Flux v2.7.5 component manifests 2026-02-19 20:46:08 +00:00
davide
538f714e5c Initial commit 2026-02-19 20:45:46 +00:00