restrict flower (celery console) access
The Flower celery console is currently available read/write at http://moma.internal.softwareheritage.org:5555/ , which is accessible only via the internal VPN. That is no security threat for now, but for consistency with other access controls we should rather make it accessible only to, say, developers, who are the same set of people currently able to deploy packages and fiddle with running services.
Celery does support HTTP basic auth, but it'd be probably better to deploy it behind a real HTTP service, with reverse proxying.
Migrated from T314 (view on Phabricator)