jack/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/roles/services/templates
History
jack e935c897c6
Some checks failed
CI/CD / syntax-check (push) Successful in 58s
Details
CI/CD / deploy (push) Failing after 43s
Details
feat: Cloudflare integration — real IP forwarding + firewall lockdown 
Traefik traefik.yml.j2:
- Add forwardedHeaders.trustedIPs with all Cloudflare CIDR ranges
  on both web and websecure entrypoints so rate limiting and
  CrowdSec see real visitor IPs, not Cloudflare proxy IPs

firewall.yml:
- Replace open HTTP/HTTPS rules with per-CIDR allow rules
  scoped to Cloudflare IP ranges only
- Direct access to ports 80/443 bypassing Cloudflare is now blocked

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-22 04:02:06 +07:00
..
authelia feat: comprehensive security hardening 2026-03-22 03:44:54 +07:00
crowdsec feat: comprehensive security hardening 2026-03-22 03:44:54 +07:00
grafana/provisioning feat: major infrastructure improvements 2026-03-22 03:28:16 +07:00
loki feat: major infrastructure improvements 2026-03-22 03:28:16 +07:00
prometheus fix: correct invalid PromQL in ContainerHighMemory alert rule 2026-03-22 03:59:56 +07:00
traefik feat: Cloudflare integration — real IP forwarding + firewall lockdown 2026-03-22 04:02:06 +07:00
act_runner_config.yaml.j2 Fix CI workflow: remove container directive, use runner image directly 2026-03-21 22:34:56 +07:00
docker-compose.yml.j2 feat: comprehensive security hardening 2026-03-22 03:44:54 +07:00
env.j2 feat: comprehensive security hardening 2026-03-22 03:44:54 +07:00