Initial commit: Cloudflare infrastructure with WAF Intelligence

- Complete Cloudflare Terraform configuration (DNS, WAF, tunnels, access) - WAF Intelligence MCP server with threat analysis and ML classification - GitOps automation with PR workflows and drift detection - Observatory monitoring stack with Prometheus/Grafana - IDE operator rules for governed development - Security playbooks and compliance frameworks - Autonomous remediation and state reconciliation
2025-12-16 18:31:53 +00:00
commit 37a867c485
123 changed files with 25407 additions and 0 deletions
--- a/systemd/drift-guardian.service
+++ b/systemd/drift-guardian.service
@@ -0,0 +1,56 @@
+[Unit]
+Description=Cloudflare Drift Guardian - Real-time configuration monitor
+Documentation=https://vaultmesh.org/docs/cloudflare-binding
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=cloudflare-mesh
+Group=cloudflare-mesh
+
+# Environment
+EnvironmentFile=/etc/cloudflare-mesh/environment
+Environment=PYTHONUNBUFFERED=1
+
+# Execution
+ExecStart=/usr/bin/python3 /opt/cloudflare-mesh/scripts/drift-guardian.py \
+    --zone-id ${CLOUDFLARE_ZONE_ID} \
+    --account-id ${CLOUDFLARE_ACCOUNT_ID} \
+    --interval 60 \
+    --auto-remediate
+
+# Restart policy
+Restart=always
+RestartSec=30
+StartLimitBurst=5
+StartLimitIntervalSec=300
+
+# Security hardening
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectSystem=strict
+ProtectHome=yes
+ReadOnlyPaths=/
+ReadWritePaths=/var/lib/cloudflare-mesh
+ReadWritePaths=/var/log/cloudflare-mesh
+CapabilityBoundingSet=
+AmbientCapabilities=
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictSUIDSGID=yes
+RestrictNamespaces=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+SystemCallFilter=@system-service
+SystemCallArchitectures=native
+
+# Logging
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=drift-guardian
+
+[Install]
+WantedBy=multi-user.target