feat: CI/CD pipeline setup complete - Ansible playbooks updated, secrets configured, workflow ready

2025-10-31 01:39:24 +01:00
parent 55c04e4fd0
commit e26eb2aa12
601 changed files with 44184 additions and 32477 deletions
--- a/deployment/stacks/traefik/dynamic/gitea.yml
+++ b/deployment/stacks/traefik/dynamic/gitea.yml
@@ -0,0 +1,15 @@
+http:
+  routers:
+    gitea:
+      rule: Host(`git.michaelschiemer.de`)
+      entrypoints:
+        - websecure
+      service: gitea
+      tls:
+        certResolver: letsencrypt
+      priority: 100
+  services:
+    gitea:
+      loadBalancer:
+        servers:
+          - url: http://gitea:3000
--- a/deployment/stacks/traefik/dynamic/middlewares.yml
+++ b/deployment/stacks/traefik/dynamic/middlewares.yml
@@ -0,0 +1,68 @@
+# Dynamic Middleware Configuration
+
+http:
+  middlewares:
+    # Security headers for all services
+    security-headers-global:
+      headers:
+        frameDeny: true
+        contentTypeNosniff: true
+        browserXssFilter: true
+        stsSeconds: 31536000
+        stsIncludeSubdomains: true
+        stsPreload: true
+        forceSTSHeader: true
+        customFrameOptionsValue: "SAMEORIGIN"
+        contentSecurityPolicy: "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"
+        referrerPolicy: "strict-origin-when-cross-origin"
+        permissionsPolicy: "geolocation=(), microphone=(), camera=()"
+
+    # Compression for better performance
+    gzip-compression:
+      compress:
+        excludedContentTypes:
+          - text/event-stream
+
+    # Rate limiting - strict
+    rate-limit-strict:
+      rateLimit:
+        average: 50
+        burst: 25
+        period: 1s
+
+    # Rate limiting - moderate
+    rate-limit-moderate:
+      rateLimit:
+        average: 100
+        burst: 50
+        period: 1s
+
+    # Rate limiting - lenient
+    rate-limit-lenient:
+      rateLimit:
+        average: 200
+        burst: 100
+        period: 1s
+
+    # IP whitelist for admin services (example)
+    # Uncomment and adjust for production
+    # admin-whitelist:
+    #   ipWhiteList:
+    #     sourceRange:
+    #       - "127.0.0.1/32"
+    #       - "10.0.0.0/8"
+
+    # Chain multiple middlewares
+    default-chain:
+      chain:
+        middlewares:
+          - security-headers-global
+          - gzip-compression
+
+    admin-chain:
+      chain:
+        middlewares:
+          - security-headers-global
+          - gzip-compression
+          - rate-limit-strict
+          # - admin-whitelist  # Uncomment for IP whitelisting