sans-self.org
this repo has no description
Harden JuiceFS and place tofu state on upstream
+39
+2
.envrc
+2
.envrc
+2
CHANGELOG.md
+2
CHANGELOG.md
···
7
7
## [Unreleased]
8
8
9
9
### Security
10
+
- Add network policy for JuiceFS Redis namespace (#51)
10
11
- Harden knot SSH config and extend tarpit to knot HTTP routes (#19)
11
12
- Add tarpit for vulnerability scanners hitting known exploit paths (#18)
12
13
13
14
### Added
15
+
- Add S3 remote backend for OpenTofu state (#50)
14
16
- Migrate to 3-node HA cluster with JuiceFS and S3-backed storage (#38)
15
17
- Add JuiceFS Redis and CSI manifests for S3-backed storage (#47)
16
18
- Add backup restoration guide for PDS and knot (#35)
+1
k8s/juicefs/kustomization.yaml
+1
k8s/juicefs/kustomization.yaml
+19
k8s/juicefs/network-policy.yaml
+19
k8s/juicefs/network-policy.yaml
···
1
+
apiVersion: networking.k8s.io/v1
2
+
kind: NetworkPolicy
3
+
metadata:
4
+
name: redis-ingress
5
+
namespace: juicefs
6
+
spec:
7
+
podSelector:
8
+
matchLabels:
9
+
app: juicefs-redis
10
+
policyTypes:
11
+
- Ingress
12
+
ingress:
13
+
# JuiceFS CSI components and mount pods within the namespace
14
+
- from:
15
+
- namespaceSelector:
16
+
matchLabels:
17
+
kubernetes.io/metadata.name: juicefs
18
+
ports:
19
+
- port: 6379
+15
kube.tf
+15
kube.tf
···
125
125
126
126
terraform {
127
127
required_version = ">= 1.5.0"
128
+
129
+
backend "s3" {
130
+
bucket = "sans-self-net"
131
+
key = "tofu/terraform.tfstate"
132
+
region = "nbg1"
133
+
134
+
endpoints = { s3 = "https://nbg1.your-objectstorage.com" }
135
+
136
+
skip_credentials_validation = true
137
+
skip_metadata_api_check = true
138
+
skip_region_validation = true
139
+
skip_requesting_account_id = true
140
+
use_path_style = true
141
+
}
142
+
128
143
required_providers {
129
144
hcloud = {
130
145
source = "hetznercloud/hcloud"