feat: create net stack consolidating proxy, netdata, watchtower, and umami

- Create net/compose.yaml with 4 services (traefik, netdata, watchtower, umami) - Update arty.yml with NET_* environment variables - Update compose.yaml to include net instead of individual stacks - Update restic volume references to net_letsencrypt_data and net_netdata_config - Copy configuration files to net/ directory (Dockerfile, dynamic/, go.d/, etc.) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-15 17:00:36 +01:00
parent f0ab11502a
commit 23fbae0228
10 changed files with 404 additions and 25 deletions
--- a/net/dynamic/security.yaml
+++ b/net/dynamic/security.yaml
@@ -0,0 +1,61 @@
+tls:
+  options:
+    default:
+      minVersion: VersionTLS12
+      cipherSuites:
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+        - TLS_AES_128_GCM_SHA256
+        - TLS_AES_256_GCM_SHA384
+        - TLS_CHACHA20_POLY1305_SHA256
+      curvePreferences:
+        - CurveP521
+        - CurveP384
+      sniStrict: true
+
+http:
+  middlewares:
+    # Security Headers Middleware
+    security-headers:
+      headers:
+        # HSTS (HTTP Strict Transport Security)
+        stsSeconds: 31536000
+        stsIncludeSubdomains: true
+        stsPreload: true
+
+        # Force HTTPS
+        forceSTSHeader: true
+
+        # Clickjacking protection
+        customFrameOptionsValue: "SAMEORIGIN"
+
+        # XSS Protection
+        browserXssFilter: true
+
+        # Content Type sniffing protection
+        contentTypeNosniff: true
+
+        # Referrer Policy
+        referrerPolicy: "strict-origin-when-cross-origin"
+
+        # Permissions Policy (formerly Feature Policy)
+        customResponseHeaders:
+          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
+          Permissions-Policy: "camera=(), microphone=(), geolocation=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()"
+          X-Content-Type-Options: "nosniff"
+          X-Frame-Options: "SAMEORIGIN"
+
+    # Rate Limiting Middleware (optional, can be applied per service)
+    rate-limit:
+      rateLimit:
+        average: 100
+        burst: 50
+        period: 1s
+
+    # Rate Limiting for API endpoints (stricter)
+    api-rate-limit:
+      rateLimit:
+        average: 30
+        burst: 15
+        period: 1s