From 5befd48a50eba2e4919efbc04a69b1ea73a3abc0 Mon Sep 17 00:00:00 2001 From: jack Date: Sun, 22 Mar 2026 04:11:39 +0700 Subject: [PATCH] fix: allow Docker bridge networks through UFW for runner + add unattended-upgrades firewall.yml: - Allow 172.16.0.0/12 and 10.0.0.0/8 on ports 80/443 so act_runner job containers can reach git.csrx.ru (Forgejo via Traefik) - Without this, Cloudflare-only rules broke CI/CD pipeline unattended_upgrades.yml (new): - Install unattended-upgrades + apt-listchanges - Configure auto-apply of security patches only (not all updates) - Auto-clean every 7 days, remove unused deps - No auto-reboot (manual control over kernel reboots) base/tasks/main.yml: - Add unattended_upgrades.yml to task sequence Co-Authored-By: Claude Sonnet 4.6 --- roles/base/tasks/firewall.yml | 22 ++++++++++++ roles/base/tasks/main.yml | 1 + roles/base/tasks/unattended_upgrades.yml | 46 ++++++++++++++++++++++++ 3 files changed, 69 insertions(+) create mode 100644 roles/base/tasks/unattended_upgrades.yml diff --git a/roles/base/tasks/firewall.yml b/roles/base/tasks/firewall.yml index 6532b9b..5a7ea7f 100644 --- a/roles/base/tasks/firewall.yml +++ b/roles/base/tasks/firewall.yml @@ -13,6 +13,28 @@ proto: tcp comment: "Forgejo SSH" +- name: Allow HTTP from Docker bridge networks (runner + internal services) + community.general.ufw: + rule: allow + port: "80" + proto: tcp + src: "{{ item }}" + comment: "HTTP from Docker networks" + loop: + - "172.16.0.0/12" + - "10.0.0.0/8" + +- name: Allow HTTPS from Docker bridge networks (runner + internal services) + community.general.ufw: + rule: allow + port: "443" + proto: tcp + src: "{{ item }}" + comment: "HTTPS from Docker networks" + loop: + - "172.16.0.0/12" + - "10.0.0.0/8" + - name: Allow HTTP from Cloudflare IPs only community.general.ufw: rule: allow diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 4b585f9..28a7b61 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -2,6 +2,7 @@ - import_tasks: packages.yml - import_tasks: swap.yml - import_tasks: sysctl.yml +- import_tasks: unattended_upgrades.yml - import_tasks: users.yml - import_tasks: sshd.yml - import_tasks: firewall.yml diff --git a/roles/base/tasks/unattended_upgrades.yml b/roles/base/tasks/unattended_upgrades.yml new file mode 100644 index 0000000..a26c57f --- /dev/null +++ b/roles/base/tasks/unattended_upgrades.yml @@ -0,0 +1,46 @@ +--- +- name: Install unattended-upgrades + ansible.builtin.apt: + name: + - unattended-upgrades + - apt-listchanges + state: present + +- name: Configure unattended-upgrades + ansible.builtin.copy: + dest: /etc/apt/apt.conf.d/50unattended-upgrades + content: | + Unattended-Upgrade::Allowed-Origins { + "${distro_id}:${distro_codename}-security"; + "${distro_id}ESMApps:${distro_codename}-apps-security"; + "${distro_id}ESM:${distro_codename}-infra-security"; + }; + + // Automatically reboot if required (kernel updates etc.) + Unattended-Upgrade::Automatic-Reboot "false"; + + // Remove unused dependencies + Unattended-Upgrade::Remove-Unused-Dependencies "true"; + Unattended-Upgrade::Remove-New-Unused-Dependencies "true"; + + // Send email on errors (optional — comment out if no mail) + // Unattended-Upgrade::Mail "admin@csrx.ru"; + + // Minimum age of packages before auto-removing + Unattended-Upgrade::MinimalSteps "true"; + mode: "0644" + +- name: Enable automatic upgrades + ansible.builtin.copy: + dest: /etc/apt/apt.conf.d/20auto-upgrades + content: | + APT::Periodic::Update-Package-Lists "1"; + APT::Periodic::Unattended-Upgrade "1"; + APT::Periodic::AutocleanInterval "7"; + mode: "0644" + +- name: Ensure unattended-upgrades service is running + ansible.builtin.systemd: + name: unattended-upgrades + state: started + enabled: true