chore(haproxy,terraform): harden haproxy stats and pin incus provider

- Add maxconn limit and HTTP timeouts to mitigate slowloris attacks
- Restrict stats endpoint to internal LAN and localhost only
- Hide HAProxy version on stats page
- Pin Incus Terraform provider to ~> 1.0 for stability

ansible/haproxy/haproxy.cfg.j2

@@ -9,6 +9,7 @@ global
     log /dev/log local0
     log /dev/log local1 notice
     stats timeout 30s
+    maxconn 4096
     # Ubuntu systemd service handles user/group and daemonization
 
     # Default SSL material locations
@@ -30,16 +31,24 @@ defaults
     timeout connect 5s
     timeout client  50s
     timeout server  50s
+    # Slowloris protection: cap time to receive the full request/keep-alive idle
+    timeout http-request    10s
+    timeout http-keep-alive 10s
 
 # Stats page with Prometheus metrics
 listen stats
     bind *:{{ haproxy_stats_port }}
     mode http
+    # Restrict to the Ouranos LAN + localhost (Alloy scrapes via localhost).
+    # Belt-and-suspenders alongside host-level firewalling.
+    acl from_internal src 10.10.0.0/16 127.0.0.0/8
+    http-request deny unless from_internal
     stats enable
     stats uri /metrics
     stats refresh 15s
     stats show-legends
     stats show-node
+    stats hide-version
 
     # Prometheus metrics endpoint
     http-request use-service prometheus-exporter if { path /metrics }

terraform/versions.tf

@@ -4,6 +4,7 @@ terraform {
   required_providers {
     incus = {
       source  = "lxc/incus"
+      version = "~> 1.0"
     }
   }
 }