davide/fleet-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
29 Commits 1 Branch 0 Tags
d628dd2c6736d2abc6f84e5539c9ad9393a6c69f
Commit Graph

10 Commits

Author SHA1 Message Date
Davide Piu
d628dd2c67 fix: allow CrowdSec intra-namespace traffic (agent -> LAPI) 2026-02-19 23:49:57 +00:00
Davide Piu
129efb39ad fix: revert to one_factor - 2FA needs SMTP notifier to work 2026-02-19 23:45:13 +00:00
Davide Piu
08eb8255a8 sec: new Authelia password + enforce 2FA for all services 
- Generate new unique password for Authelia (not shared with Gitea)
- Change access_control default_policy to two_factor
- Re-encrypt authelia-users secret with SOPS
 2026-02-19 23:24:26 +00:00
Davide Piu
914890b339 feat: protect Uptime Kuma and Weave GitOps with Authelia ForwardAuth 
- Add Traefik ForwardAuth middleware pointing to Authelia
- Apply to status.davidepiu.xyz and flux.davidepiu.xyz
- Users must login via auth.davidepiu.xyz before accessing these services
 2026-02-19 23:18:38 +00:00
Davide Piu
bc89216548 fix: allow ACME solver port 8089 in Authelia NetworkPolicy 
Same fix as flux-system: Traefik needs to reach the cert-manager
ACME HTTP-01 solver pod on port 8089 for TLS certificate issuance.
 2026-02-19 23:13:32 +00:00
Davide Piu
a5c1772e4e fix: mount users_database.yml in Authelia pod 
Mount the authelia-users Secret as volume at /config/users_database.yml
so Authelia can authenticate user davide.
 2026-02-19 23:10:57 +00:00
Davide Piu
0d0fd95991 feat: deploy Wave 2 - CrowdSec + Velero 
- CrowdSec: LAPI + Agent with containerd runtime, Traefik log acquisition
- Velero: with AWS plugin, placeholder BSL (needs S3 storage config later)
- Both with reduced resources for 4GB VPS
 2026-02-19 23:06:26 +00:00
Davide Piu
b69cc16002 fix: remove Authelia default_redirection_url conflicting with authelia_url 2026-02-19 22:56:50 +00:00
Davide Piu
98e073ad82 fix: correct Authelia and Trivy Operator chart values 
- Authelia: remove invalid server.address, use chart auto-generated secrets
- Trivy: use clusterComplianceEnabled=false instead of empty cron
 2026-02-19 22:49:35 +00:00
Davide Piu
c2a803d28b feat: deploy Wave 1 - Vaultwarden, Uptime Kuma, Trivy Operator, Authelia 
GitOps manifests for security stack Wave 1:
- Vaultwarden (vault.davidepiu.xyz) - password manager
- Uptime Kuma (status.davidepiu.xyz) - uptime monitoring
- Trivy Operator - vulnerability scanning
- Authelia (auth.davidepiu.xyz) - SSO + 2FA

All with NetworkPolicies for Traefik ingress.
 2026-02-19 22:44:34 +00:00