farhoodliquor/irc
Archived
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
41 Commits 5 Branches 0 Tags
6eca981e17aba57f98ae752d5ea6ff5b6ea04554
Commit Graph

16 Commits

Author SHA1 Message Date
Chris Farhood 6eca981e17 fix: remove serviceName from StatefulSets (not needed) 
Removed serviceName field from both StatefulSets since stable pod DNS
is not required for single-replica IRC applications. StatefulSets only
need serviceName when using headless Services for stable network identities.

Also removed statefulset-has-servicename ignore since it's now properly fixed.

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
 2026-02-08 10:40:34 -05:00
Chris Farhood a8e16c93ee fix: remove Flux validation and fix YAML linting 
- Remove Flux validation job (repo doesn't contain Flux resources)
- Fix trailing spaces in best-practices workflow
- Add missing newline at end of znc/statefulset.yaml

Flux validates Kustomization CRDs, not plain manifests. Since this
repo only contains the manifests deployed by Flux (not the Flux
resources themselves), the validation doesn't apply.

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
 2026-02-08 10:09:28 -05:00
Chris Farhood 9c70b82fb3 security: implement proper security hardening 
Instead of just skipping security checks, properly fix the issues:

**Pod & Container Security Context:**
- Add runAsUser: 1000 (non-root)
- Add runAsGroup: 1000
- Add fsGroup: 1000 for volume permissions
- Add seccompProfile: RuntimeDefault
- Drop ALL capabilities (principle of least privilege)

**Resource Management:**
- Add ephemeral-storage requests (1Gi) and limits (2Gi)

**Health Checks:**
- Change thelounge liveness probe from TCP to HTTP
- Reduces false positives and provides better health signals

**Reduced Exceptions:**
- Removed 6+ security check exceptions
- Now only skip: image tags (intentional), read-only FS (apps need writes)
- Removed Polaris runAsRootAllowed exemptions

**Note:** If containers fail to start post-merge, may need to adjust UIDs
or add specific capabilities. LinuxServer images may need tweaking.

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
 2026-02-08 10:06:36 -05:00
Chris Farhood 03f99cae2e adjust policy for dns 2026-01-17 20:33:50 -05:00
Chris Farhood 3b69cb6384 deploy with instance labels 2026-01-17 20:14:22 -05:00
Chris Farhood 36eb6e1ef0 removing unneeded namespace tag 2026-01-17 20:10:47 -05:00
Chris Farhood 531fe04ffe networkpolicy correction 2026-01-17 12:29:03 -05:00
Chris Farhood 877696c827 all done? 2026-01-17 12:27:44 -05:00
Chris Farhood 1850c12905 again 2026-01-17 11:43:19 -05:00
Chris Farhood d939b88fe4 rollback 2026-01-17 11:42:21 -05:00
Chris Farhood 71907f24dd try dropping privs for znc 2026-01-17 11:39:03 -05:00
Chris Farhood a685eca1f5 more polaris findings 2026-01-17 11:34:39 -05:00
Chris Farhood c77b0aa065 roll some back 2026-01-17 11:28:10 -05:00
Chris Farhood 2516f0a47f adjust security settings 2026-01-17 11:26:10 -05:00
Chris Farhood e2cf8ff1b0 adding kustomizations to force declaration of manifests 2026-01-17 09:12:48 -05:00
Chris Farhood 6c0c269520 initial commit 2026-01-17 08:40:50 -05:00