storage normalization, security middlewares

deploy/infra/ingress.yaml

@@ -1,26 +1,64 @@
-
-apiVersion: networking.k8s.io/v1
-kind: Ingress
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
 metadata:
   name: cloud-limbosolutions-com
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod
     kubernetes.io/ingress.class: traefik
     traefik.ingress.kubernetes.io/router.entrypoints: websecure, public-https
-spec: 
-  ingressClassName: traefik
-  rules:
-    - host: cloud.limbosolutions.com
-      http:
-        paths:
-        - backend:
-            service:
-              name: nextcloud
-              port:
-                number: 8080
-          path: /
-          pathType: Prefix
+spec:
+  entryPoints:
+    - websecure
+
   tls:
-    - secretName: cloud-limbosolutions-com-secret-tls
-      hosts:
-        - cloud.limbosolutions.com
+    secretName: cloud-limbosolutions-com-tls
+    domains:
+      - main: cloud.limbosolutions.com
+
+  routes:
+
+    # AUTHENTIK OUTPOST
+    - match: Host(`cloud.limbosolutions.com`)  && PathPrefix(`/outpost.goauthentik.io`)
+      kind: Rule
+      services:
+        - name: ak-outpost-authentik-embedded-outpost
+          namespace: id-limbosolutions-com
+          port: 9000
+
+
+    # 1) PUBLIC SHARES (NO SSO)
+    - match: Host(`cloud.limbosolutions.com`) && (PathPrefix(`/s/`) || PathPrefix(`/index.php/s/`) || PathPrefix(`/public.php/`) || PathPrefix(`/remote.php/dav/public-files/`))
+      kind: Rule
+      services:
+        - name: nextcloud
+          port: 8080
+      middlewares:
+        - name: rate-limit
+        - name: security-headers
+
+    # 2) WEBDAV / SYNC CLIENTS (NO SSO)
+    - match: Host(`cloud.limbosolutions.com`) && (PathPrefix(`/remote.php/dav`) || PathPrefix(`/remote.php/webdav`) || PathPrefix(`/remote.php/caldav`) || PathPrefix(`/remote.php/carddav`))
+      kind: Rule
+      services:
+        - name: nextcloud
+          port: 8080
+      middlewares:
+        - name: webdav-strip-auth
+        - name: rate-limit
+
+    # 3) EVERYTHING ELSE (SSO REQUIRED)
+    - match: Host(`cloud.limbosolutions.com`)
+      kind: Rule
+      services:
+        - name: nextcloud
+          port: 8080
+      middlewares:
+          # middleware managed by icarus
+         - name: authentik-forward-auth
+           namespace: kube-system
+         - name: security-headers
+         - name: rate-limit
+
+
+
+

deploy/infra/kustomization.yaml

@@ -3,6 +3,7 @@ kind: Kustomization
 resources:
   - namespace.yaml
   - cd-serviceaccount.yaml
+  - middlewares.yaml
   - ingress.yaml
   - storage-limbosolutions-com/pv.yaml
 generatorOptions:

deploy/infra/middlewares.yaml

@@ -0,0 +1,41 @@
+# Strip Authorization header for WebDAV so Authentik doesn't try to interpret Basic Auth
+
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: webdav-strip-auth
+spec:
+  headers:
+    customRequestHeaders:
+      Authorization: ""
+
+---
+# Rate limit to protect from brute force / bots
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: rate-limit
+spec:
+  rateLimit:
+    average: 50
+    burst: 100
+
+---
+# Optional: security headers for UI
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: security-headers
+spec:
+  headers:
+    stsSeconds: 31536000
+    stsIncludeSubdomains: true
+    stsPreload: true
+    browserXssFilter: true
+    contentTypeNosniff: true
+    frameDeny: true
+    referrerPolicy: "no-referrer"
+    customResponseHeaders:
+      X-Content-Type-Options: "nosniff"
+      X-Frame-Options: "DENY"
+      X-XSS-Protection: "1; mode=block"