feat: add PHP ini management system and update infrastructure configs

- Add PHP ini management classes (Access, IniDirective, IniKey, PhpIni) - Update deployment configurations (Wireguard, Traefik, Monitoring) - Add DNS stack and Ansible role - Add deployment debugging playbooks - Update framework components (FilePath, RedisConnectionPool) - Update .gitignore and documentation
2025-11-02 15:29:41 +01:00
parent e628d30fa0
commit edcf509a4f
29 changed files with 926 additions and 39 deletions
--- a/deployment/ansible/templates/traefik-middlewares.yml.j2
+++ b/deployment/ansible/templates/traefik-middlewares.yml.j2
@@ -0,0 +1,82 @@
+# Dynamic Middleware Configuration
+
+http:
+  middlewares:
+    # Security headers for all services
+    security-headers-global:
+      headers:
+        frameDeny: true
+        contentTypeNosniff: true
+        browserXssFilter: true
+        stsSeconds: 31536000
+        stsIncludeSubdomains: true
+        stsPreload: true
+        forceSTSHeader: true
+        customFrameOptionsValue: "SAMEORIGIN"
+        contentSecurityPolicy: "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"
+        referrerPolicy: "strict-origin-when-cross-origin"
+        permissionsPolicy: "geolocation=(), microphone=(), camera=()"
+
+    # Compression for better performance
+    gzip-compression:
+      compress:
+        excludedContentTypes:
+          - text/event-stream
+
+    # Rate limiting - strict
+    rate-limit-strict:
+      rateLimit:
+        average: 50
+        burst: 25
+        period: 1s
+
+    # Rate limiting - moderate
+    rate-limit-moderate:
+      rateLimit:
+        average: 100
+        burst: 50
+        period: 1s
+
+    # Rate limiting - lenient
+    rate-limit-lenient:
+      rateLimit:
+        average: 200
+        burst: 100
+        period: 1s
+
+    # IP whitelist for admin services (example)
+    # Uncomment and adjust for production
+    # admin-whitelist:
+    #   ipWhiteList:
+    #     sourceRange:
+    #       - "127.0.0.1/32"
+    #       - "10.0.0.0/8"
+    
+    # VPN-only IP whitelist for Grafana and other monitoring services
+    # Restrict access strictly to the WireGuard VPN network
+    grafana-vpn-only:
+      ipWhiteList:
+        sourceRange:
+          - "{{ vpn_network }}"      # WireGuard VPN network
+
+    # VPN-only IP whitelist for general use (Traefik Dashboard, etc.)
+    # Restrict access strictly to the WireGuard network
+    vpn-only:
+      ipWhiteList:
+        sourceRange:
+          - "{{ vpn_network }}"      # WireGuard VPN network
+
+    # Chain multiple middlewares
+    default-chain:
+      chain:
+        middlewares:
+          - security-headers-global
+          - gzip-compression
+
+    admin-chain:
+      chain:
+        middlewares:
+          - security-headers-global
+          - gzip-compression
+          - rate-limit-strict
+          # - admin-whitelist  # Uncomment for IP whitelisting