feat: deploy Falco runtime security

Reviewed-on: #113

deployments/apps/n8n/externalsecret.yaml

@@ -14,25 +14,5 @@ spec:
   data:
     - secretKey: N8N_SECRET_KEY
       remoteRef:
-        key: apps/n8n
+        key: n8n
         property: N8N_SECRET_KEY
-    - secretKey: DB_HOST
-      remoteRef:
-        key: apps/n8n
-        property: DB_HOST
-    - secretKey: DB_PORT
-      remoteRef:
-        key: apps/n8n
-        property: DB_PORT
-    - secretKey: DB_NAME
-      remoteRef:
-        key: apps/n8n
-        property: DB_NAME
-    - secretKey: DB_USER
-      remoteRef:
-        key: apps/n8n
-        property: DB_USER
-    - secretKey: DB_PASSWORD
-      remoteRef:
-        key: apps/n8n
-        property: DB_PASSWORD

deployments/media/transmission/deployment.yaml

@@ -2,7 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: transmission
-  namespace: media
+  namespace: apps
   labels:
     app: transmission
 spec:
@@ -10,76 +10,58 @@ spec:
   selector:
     matchLabels:
       app: transmission
+  strategy:
+    type: Recreate
   template:
     metadata:
       labels:
         app: transmission
     spec:
       containers:
-        - name: gluetun
-          image: ghcr.io/qmcgaw/gluetun:v3.40.0
-          env:
-            - name: OPENVPN_PROVIDER
-              value: "PROTONVPN"
-            - name: OPENVPN_USERNAME
-              valueFrom:
-                secretKeyRef:
-                  name: transmission-vpn-secret
-                  key: username
-            - name: OPENVPN_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: transmission-vpn-secret
-                  key: password
-            - name: SERVER_COUNTRIES
-              value: "US"
-            - name: FIREWALL_ENABLED
-              value: "off"
-            - name: DOT_ENABLED
-              value: "true"
-          ports:
-            - name: http
-              containerPort: 8000
-          volumeMounts:
-            - name: config
-              mountPath: /config
         - name: transmission
           image: lscr.io/linuxserver/transmission:latest
+          ports:
+            - name: web
+              containerPort: 9091
+              protocol: TCP
+            - name: peer
+              containerPort: 51413
+              protocol: TCP
+            - name: peer-udp
+              containerPort: 51413
+              protocol: UDP
           env:
             - name: PUID
               value: "1000"
             - name: PGID
               value: "1000"
             - name: TZ
-              value: "America/New_York"
+              value: "Etc/UTC"
-            - name: USER
-              value: "admin"
-            - name: PASS
-              value: "admin"
             - name: TRANSMISSION_WEB_HOME
-              value: "/combui"
+              value: "/web/":"
-            - name: PEER_PORT
+          volumeMounts:
-              valueFrom:
+            - name: config
-                configMapKeyRef:
+              mountPath: /config
-                  name: transmission-config
+            - name: data
-                  key: peer-port
+              mountPath: /data
-          ports:
+        - name: gluetun
-            - name: http
+          image: qmcgaw/gluetun:latest
-              containerPort: 9091
+          env:
-            - name: peer
+            - name: VPN_SERVICE_PROVIDER
-              containerPort: 0
+              value: "protonvpn"
-              protocol: TCP
+            - name: VPN_TYPE
-            - name: peer-udp
+              value: "wireguard"
-              containerPort: 0
+          ports:
-              protocol: UDP
+            - name: https
+              containerPort: 443
+              protocol: TCP
           volumeMounts:
             - name: config
               mountPath: /config
-            - name: downloads
-              mountPath: /downloads
       volumes:
         - name: config
-          emptyDir: {}
-        - name: downloads
           persistentVolumeClaim:
-            claimName: media-data
+            claimName: transmission-config-claim
+        - name: data
+          persistentVolumeClaim:
+            claimName: transmission-data-claim

deployments/security-monitoring/falco-app.yaml

@@ -0,0 +1,68 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: falco
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://falcosecurity.github.io/charts
+    chart: falco
+    targetRevision: 3.9.0
+    helm:
+      releaseName: falco
+      values: |
+        ## Falco configuration
+        falco:
+          config:
+            ## Log output
+            json_output: true
+            json_include_output_property: true
+            ## Log stdout + webhook for Wazuh integration
+            programs_output:
+              - enabled: true
+                keep_alive: false
+                executor: /etc/falco/webhook.sh
+            file_output:
+              - enabled: true
+                keep_alive: false
+                filename: /var/log/falco/falco.log
+            syscall_event_drops:
+              enable_outputs: true
+              max_percentage_lost: 20.0
+              rate: 10
+            base_syscalls:
+              enable_outputs: false
+            buffers_pmem: false
+            syscall_buffer_num_pages: 256
+
+          ## Falco host mount
+          hostNetwork: true
+          hostPID: true
+          tolerations:
+            - key: node-role.kubernetes.io/control-plane
+              operator: Exists
+              effect: NoSchedule
+            - key: node-role.kubernetes.io/master
+              operator: Exists
+              effect: NoSchedule
+          resources:
+            requests:
+              cpu: "200m"
+              memory: "256Mi"
+            limits:
+              cpu: "1"
+              memory: "512Mi"
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: falco
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true