feat: Cloudflare DNS-01 ACME + Docker hardening + sysctl

Cloudflare DNS-01 ACME: - Switch Traefik cert resolver from httpChallenge to dnsChallenge using Cloudflare provider (resolvers: 1.1.1.1, 1.0.0.1) - Add CLOUDFLARE_DNS_API_TOKEN env to Traefik container - Add CF_ZONE_ID + cloudflare_dns_api_token to all/main.yml - Store API token in Ansible Vault Docker daemon hardening: - Add log-driver: json-file with max-size 10m / max-file 3 (prevents disk fill from unbounded container logs) - Add live-restore: true (containers survive Docker daemon restart) Kernel hardening (sysctl): - New roles/base/tasks/sysctl.yml via ansible.posix.sysctl - IP spoofing protection (rp_filter) - Disable ICMP redirects and broadcast pings - SYN flood protection (syncookies, backlog) - Disable IPv6 (not used) - Restrict kernel pointers and dmesg to root - Disable SysRq, suid core dumps Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-22 04:06:46 +07:00 · 2026-03-22 04:06:46 +07:00 · fccbd1a45a
commit fccbd1a45a
parent e935c897c6
11 changed files with 211 additions and 84 deletions
--- a/inventory/group_vars/all/main.yml
+++ b/inventory/group_vars/all/main.yml
@ -37,6 +37,8 @@ authelia_admin_password_hash:     "{{ vault_authelia_admin_password_hash }}"
 crowdsec_bouncer_key:             "{{ vault_crowdsec_bouncer_key }}"
 s3_access_key:                    "{{ vault_s3_access_key }}"
 s3_secret_key:                    "{{ vault_s3_secret_key }}"
+cloudflare_dns_api_token:         "{{ vault_cloudflare_dns_api_token }}"
+cloudflare_zone_id:               "0935215d596a24a10866a81409ed8332"

 # CI/CD deploy key (public key — not a secret)
 ci_deploy_pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHdr9mRSSUqt7Ym4wA5RpVyz76wEXSOtVfh2/yCSMIbg ci-deploy@forgejo-runner"
--- a/inventory/group_vars/all/vault.yml
+++ b/inventory/group_vars/all/vault.yml
@ -1,81 +1,86 @@
 $ANSIBLE_VAULT;1.1;AES256
-63316565343636313366333436653062386233326239633136353033363861393962376563373538
-6537376663323364316532303237666231373665613036370a653633333035336334333937313839
-34396166613565646561373237636331363039336539656136363031353466643437626535626235
-3835373662616135660a316533373034626239393465366331633237336238366163633136376561
-39353333323932366464653363653063643037323861343163386331306337643266353762626665
-64396366626333356135373161636239653434353939636365336235646533613336343438373939
-37633037333035346134356664326135646531616266376439303965313432316638336138666161
-64636234373839356362326363383437616265653934656665386231383662316136363164363631
-38393163656639343561636334326133646336383733633966316536323933356236616336333465
-38633365636363363237323232303064353232313030653132393439616462653736346665376165
-64663139396664363561386536643862653766343066363565336261646338323935663564376261
-35373833343563373731623136326666636165346564663133363763396231306665393536656566
-37393431626565396632353931373161326139646537643865336333353462326438666131633636
-38373463666539346230323437616135353166356331643962633537386364623265616239666235
-62336337643562363738323133353339326435333262623563383939626463636434346435343862
-35353366646635383738313561623366363736656465373665663663313632313132316665626635
-35613134313738653165323536326330336539323964316463636630386637353565366464373861
-33376364626633653937386137623936626663326638366235313637363561316265346632353633
-66616334656665663032646663306364303461343163653966633335633039643332343365343630
-32353837643930306534366233366234656436613730356632393466623636623263353139666664
-39623835613935666665393235353234343962623531316633343865313331363337326630383932
-66393263313031346634646335373032633762336462663037656139616531363265666535616135
-36326234303434663036656638393361656365353837386536363834623134353366316135353864
-33346338326534323335366331636338623931333561316466343733656333366632326131303536
-31623662626265323133363635326235363334356537646263643737373661373265306632656538
-38343061623235336537346463653634333837613162303930376532643539386132326539303336
-39333166643864633065653834653365666230393633303866653535376339613533313236396537
-62343136386637623439353061323531646365393733633339353364666633346634363264353166
-62643432653165373663663561653339643066393361333265376236663132653134373465366364
-38616364636337383438663737316630346632353635303430356463343066363766363662333632
-33363633343165663631373064353661666430343266373032373238663466313438313539343139
-34386131393337346364656632653831626561623763333063366166636439313030316664333861
-63643033666639393963626234666334663062346530313237333361303161363564346438306263
-66666365373061306464643836626635323439386565386437646238373064383861353038643335
-65366165353130613762633231393934346562643739666666353865386537376431336333623936
-39363563656432333961303033643365663963663239396330306333376634323139383762373736
-32643630623731356664616336616634353630303731643037313039666339633864323231646530
-61663735653034656137346635323331616130333761623830393137376665356639363963656465
-61303434303466626465656432613230396631363434393839366631306466353030306436663139
-31383461393733666465393733343231313737303833636231636136316530613538623535396230
-36323463306233393138643333663161636461343436646463346165323333323135666131326435
-34656161303664626135616134396266376234343139366561303765323530366632393736353762
-66666639376362366435353639353439663835613463613739643861376666383036326339396537
-35303161363763326439613834633564646161666135613935383739383838346563643961323864
-34633031306664643266623262363065303965336337386332613262646464653933343836336230
-63333934643763383566653762666638643565386264653132313333663130616537346366656463
-63653730613238663365613132303136353965653433386563393836393737646132666237656333
-34663330323437653761663235653565363632393332313630316433313436343539663366343638
-65346534623063343739326166613530633165383266623637653238623133663637626634306337
-36653937393234353136383933323661306263346466613362363739653733373938633332303132
-37383562643630323362303733316664386339653166626338316332353131653531646136626362
-61646263663162313964343939643834363931346462313862633339313866363562613330666163
-66383835323461663133343333303833333662643331633265343364663238393331383634326338
-36646337366638346537653533353038633031653134393831323766306261393232343532653139
-61323139616363356639613664626439613463633564346163636361393339343636353031343165
-37643264663366633034376534626430393431303133373563623132656239333139363764623430
-61303161653930363862373265336432656162623437393239613562633363343337393161646333
-39306338333566646565326631346534613863346236386363313063616462373831646430663738
-30363865356161313931393130363361313663393238663935373834353564346131373866326237
-39313939336435613234646230663835393166636463303030336262303337313339653164633436
-61613931383632623065626161663531336263633263636131393334333337653464323836393266
-38353437643334303434396463313063663564303431666336653636313338616334373836313161
-65383061363736663134316432376136633966616533336365616566396635383666666464636564
-37626465393466623666326565343265346662313938646639613737326534643664386132666336
-31616561663063663739323862333366313130653239326163616631336464323936383638623464
-36623963323837393662306436336261323934313664333634326538336334306133346666613139
-36323735623861316337333666366336626639623933663038666134636136303264356136383231
-64363262353434663263616536333662383331626130353931323034643336303931383166306139
-39336662643162363034653737626564653935336561386439653765326631336636663238653934
-38376162353533343964366232373066326432383362373834303331626161656234326663616135
-62306661346135343665386535356537383362356232613337666433326537363937383530656261
-64393662646639356161343439343035376161366632353136616136643230616135346561353932
-38376462633035666437306636323832623765326366326166323966656635313332313366343832
-38356666313164356437396638393530326136363465313966326430626662383032376337333438
-38656536623966656261386139363734393437623531313935323236643733303661393232666463
-36373933643736393765366131383666336338643465393162376538666663316365366636393532
-34666234313364656536643530396662663832643437616136376439656562326135366530343833
-35613066393034616235393462323038663966356130626666653735663938643332336236316238
-30366536353566393063336137626162303461333332656237646235666533313361626633373931
-39663862343635333162
+61346166346534303931326332346432356137343133353337656364356530626562373464613939
+3233386137316337616638313738383030383534343161330a646337613536633961393064353538
+30653634343031363063373866323634316638333233346231356465326339336337303266353637
+3235636435363631620a386337653334633132656430323166313436626565646662346165646366
+33646439653033366334343330643235336531326333376230653435333430313733353164323564
+62326665346162373265373462666332383366396534316466613935663531643661366464353137
+64663430666237333930316630393637373239336533313364643034633335303963343661633438
+65613630383436313761653738633831636333613962343535643966316164623931346337613338
+31333638326630636430336266643238663665653332616536363535633966643836666434303464
+38383366383232646434343333373836613934633964383362653134613466383932613264616632
+37356130313363633438626238383463356431386539366465363965663332323462626530366166
+65373838393436313633613333306639636165336633393533333063633539313538626436386535
+33636630633366376138386532346664373535333932646335353638613364363433643034653733
+36376136383833363236343538633464396438373862666238623536643366353632343363646130
+66373635323437326530316432666236626239353963616364633266393432636264646466373261
+62626433396133383335363163313136383238633663373336663562326331333933313963303432
+38663365333830356534323532316431616565653638643261646139343662386436663334303234
+33396136373539376238393837363536636565666535636333366430346633323638303962636431
+65326633653161623462656261303036346433383837396436306430396234623964646662666166
+61613432333330313563666133343664333965663465616232633735303032623462653639616461
+30393465373339623664613264383239393538616233653061376434643332336539636135616432
+64363134303865636535353738326466623264643034633734653731623731653531333834363861
+35623739326134623332353762613732666233383466323661323464316464656231663038613161
+38353830643832656538386665376630613465386437303838653566646438613935666363386335
+65343130353864616563353161653938653466316533346234383265643534333231633235316630
+39326339653939653163316633303964303166663039353464666337626235653133333431643262
+32373939313835363236646564636237616232636333636238376265643530356566313864333966
+30386631626437633361326436356630373330303761326665373962376639626363323163316261
+33623334623336393230663232313032663434303330376163633265356130623639303431333333
+32363735366138363435383964623933323062386661656566656238613933346636383737383939
+62353939383235656136383062663164393135626539393966373939666561313334643266333466
+37356164363861626565326364396531626536636266333735663238626234306139306465643733
+65316631343963643666626335363036336263646138373562386662343735346134313836383765
+35306465613831633330616261653537613730613564313635353535366138316332353736373964
+63663366613666306533343331623939383866303864656134343437643665636565356432386432
+34643364393864373935623230343661666238636564376664373830303666343332613436346537
+65363062353338323832653338643063613964653933313231393732343466373138396265663566
+63653835336331373462653638323038383463633733646266653137646264613531363130353232
+31376664303635336565653939613933363539653161343637363131646362343265383131373339
+66353432623266616139643264373832636665386235333839663833613661346632663461356232
+39656463383431663164393564646338356638336530373937366266353264376165643335366335
+32633639633138626633656633376639366432363761323538383731666336313639646566623933
+36326232626333613630356163313731323336313237646363616530303832363233343364313164
+65356137653363313564343062396461653134346335616637346164356539393731636566356265
+65636639633839633835393061393837376634306630646435613066613361396134656465343332
+31623837323830316336383835393037336338383264366138646334326530633331353638376138
+39393534363130316331376636663234383435656666653235613131363862396336636434393736
+64616334643366643330643661623238323063333864303963316166396463613637653764356435
+31633235376363303265386536303032393036333838366237303966626533626466653634643933
+37626266653461336366326430306266643132343137396634323363623562366632323763623934
+31343861643834303864663831623239616266653335616562316463626365623365373162653863
+34326432613230333431643334653165366632353463613465653963353166353334663039316535
+35373230633962646562303065626431366139386339373065343264616639353336643339393162
+65363339653164646435373064313665636262393833386664383064303463653437643633306234
+32653935656530386534333537353966356461343537616338653164383465313830363032313235
+30356339623530363766333963323636306635376238323664656365303661336134316163306165
+38613638656132653463363162623334313636353433316330663733613865366138663165306665
+39666661613365303461373464343233356239656631303536643461653036316435646633313037
+63396165316562326531376266626566303734366434363066653662323131346237653231643931
+37666465633461363735656135396537656637336532303235323433626539336433313835663964
+62663532373461343933306466353331373461336630323038646238653063633562613164663939
+39343039303563393363373165306133336638316633663532393538313834343136376265323038
+39303332373164613836663738613466643637353030663466346437356535393661396236343834
+38626461623238663936633431616637656264323636363763306464393534363134306235643133
+37323131653961343565623433336635663263393436316233616231303431336531313634343565
+64386462333166376261633430303664366630386235366333393662616261636636343562393266
+32326235643737613437393037353330363931363861393134643231656133626162333230376431
+62353530313036376239333137343435393061613332396638626266393065316431616537366562
+30313834633730626463633263356134363635623835613232336366353864383661306363376536
+63643761326437366138386235323839643034393931623961346638346663396532656532633338
+38303266383765303731303935356239303166323633343432393035633531623835656535353637
+31326163656662306435326265396137383163356333303465393437356462333761373732316437
+38653532653332323263363933353264663334396238643232313662326231333935336433633031
+62356462313665653637633630643133383930313665346631383932346135303963353964353662
+65373165643266316638363935363733663533356639383863613333646331636131353464373666
+38653163663265633932323465373238323963323062653165366432313665346666643035613836
+35646363376165323964666439306666303635633865663039393437306139656161636261366363
+66643462383466383434303939326464366339383064323138363131623162333962323766623233
+66386436323934383137333365383264323634336533303162303965303935346666313231663961
+61346632323531393539643134656363353434653538376164643066313537656633663330656364
+30363163363665656230616537393132383735346637366337346634333635616664323566656466
+30656439653630333464656564653963323831323566653037633539663065393532633866373765
+65666138653731326639633864653264343737336334356332653032376639386661333939636434
+63653536333536613639373235643636643066666465323166323835323137616266333935313531
+6531
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@ -1,6 +1,7 @@
 ---
 - import_tasks: packages.yml
 - import_tasks: swap.yml
+- import_tasks: sysctl.yml
 - import_tasks: users.yml
 - import_tasks: sshd.yml
 - import_tasks: firewall.yml
--- a/roles/base/tasks/sysctl.yml
+++ b/roles/base/tasks/sysctl.yml
@ -0,0 +1,52 @@
+---
+# Kernel hardening via sysctl
+# Applied permanently via /etc/sysctl.d/99-hardening.conf
+
+- name: Apply kernel hardening parameters
+  ansible.posix.sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    state: present
+    sysctl_file: /etc/sysctl.d/99-hardening.conf
+    reload: true
+  loop:
+    # ── Network: IP Spoofing protection ───────────────────────────────────────
+    - { name: net.ipv4.conf.all.rp_filter,          value: "1" }
+    - { name: net.ipv4.conf.default.rp_filter,      value: "1" }
+
+    # ── Network: Ignore ICMP redirects ────────────────────────────────────────
+    - { name: net.ipv4.conf.all.accept_redirects,       value: "0" }
+    - { name: net.ipv4.conf.default.accept_redirects,   value: "0" }
+    - { name: net.ipv4.conf.all.send_redirects,         value: "0" }
+    - { name: net.ipv4.conf.default.send_redirects,     value: "0" }
+    - { name: net.ipv6.conf.all.accept_redirects,       value: "0" }
+    - { name: net.ipv6.conf.default.accept_redirects,   value: "0" }
+
+    # ── Network: Ignore broadcast pings ───────────────────────────────────────
+    - { name: net.ipv4.icmp_echo_ignore_broadcasts, value: "1" }
+
+    # ── Network: Ignore bogus error responses ────────────────────────────────
+    - { name: net.ipv4.icmp_ignore_bogus_error_responses, value: "1" }
+
+    # ── Network: SYN flood protection ────────────────────────────────────────
+    - { name: net.ipv4.tcp_syncookies,    value: "1" }
+    - { name: net.ipv4.tcp_max_syn_backlog, value: "2048" }
+    - { name: net.ipv4.tcp_synack_retries,  value: "2" }
+    - { name: net.ipv4.tcp_syn_retries,     value: "5" }
+
+    # ── Network: Disable IPv6 if not needed ──────────────────────────────────
+    - { name: net.ipv6.conf.all.disable_ipv6,     value: "1" }
+    - { name: net.ipv6.conf.default.disable_ipv6, value: "1" }
+    - { name: net.ipv6.conf.lo.disable_ipv6,      value: "1" }
+
+    # ── Kernel: Restrict dmesg to root ───────────────────────────────────────
+    - { name: kernel.dmesg_restrict, value: "1" }
+
+    # ── Kernel: Hide kernel pointers ─────────────────────────────────────────
+    - { name: kernel.kptr_restrict, value: "2" }
+
+    # ── Kernel: Disable SysRq ────────────────────────────────────────────────
+    - { name: kernel.sysrq, value: "0" }
+
+    # ── Memory: Disable core dumps for suid programs ─────────────────────────
+    - { name: fs.suid_dumpable, value: "0" }
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@ -56,14 +56,20 @@
  until: docker_install is succeeded
  notify: Restart Docker

- name: Configure Docker daemon (registry mirrors)
+- name: Configure Docker daemon
  ansible.builtin.copy:
    dest: /etc/docker/daemon.json
    content: |
      {
        "registry-mirrors": [
          "https://dockerhub.timeweb.cloud"
-        ]
+        ],
+        "log-driver": "json-file",
+        "log-opts": {
+          "max-size": "10m",
+          "max-file": "3"
+        },
+        "live-restore": true
      }
    mode: "0644"
  notify: Restart Docker
--- a/roles/services/defaults/main.yml
+++ b/roles/services/defaults/main.yml
@ -32,3 +32,4 @@ crowdsec_bouncer_image: "crowdsecurity/cs-firewall-bouncer:v0.0.31" # https://hu
 authelia_image:      "authelia/authelia:4.38"                      # https://hub.docker.com/r/authelia/authelia/tags
 redis_image:         "redis:7-alpine"                              # shared with plane-redis
 authelia_admin_user: "admin"
+uptime_kuma_image:   "louislam/uptime-kuma:1"                      # https://hub.docker.com/r/louislam/uptime-kuma/tags
--- a/roles/services/templates/docker-compose.yml.j2
+++ b/roles/services/templates/docker-compose.yml.j2
@ -46,6 +46,7 @@ volumes:
  loki_data:
  crowdsec_data:
  authelia_data:
+  uptime_kuma_data:

 services:

@ -68,6 +69,13 @@ services:
      - {{ services_root }}/traefik/dynamic:/etc/traefik/dynamic:ro
      - {{ services_root }}/traefik/acme.json:/acme/acme.json
      - {{ services_root }}/traefik/logs:/var/log/traefik
+    environment:
+      - CLOUDFLARE_DNS_API_TOKEN=${CLOUDFLARE_DNS_API_TOKEN}
+    logging:
+      driver: json-file
+      options:
+        max-size: "10m"
+        max-file: "3"
    healthcheck:
      test: ["CMD", "traefik", "healthcheck", "--ping"]
      interval: 30s
@ -618,3 +626,22 @@ services:
    networks:
      - authelia-internal
    command: redis-server --appendonly yes --maxmemory 64mb --maxmemory-policy allkeys-lru
+
+  # ── Uptime Kuma ────────────────────────────────────────────────────────────
+  # Мониторинг доступности сервисов + публичная статус-страница
+  # Доступен по адресу: https://{{ domain_status }}
+  uptime-kuma:
+    image: {{ uptime_kuma_image }}
+    container_name: uptime-kuma
+    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    networks:
+      - backend
+    volumes:
+      - uptime_kuma_data:/app/data
+    healthcheck:
+      test: ["CMD", "wget", "-qO-", "http://localhost:3001/"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
--- a/roles/services/templates/env.j2
+++ b/roles/services/templates/env.j2
@ -16,3 +16,6 @@ AUTHELIA_JWT_SECRET={{ authelia_jwt_secret }}
 AUTHELIA_SESSION_SECRET={{ authelia_session_secret }}
 AUTHELIA_STORAGE_KEY={{ authelia_storage_key }}
 CROWDSEC_BOUNCER_KEY={{ crowdsec_bouncer_key }}
+# Cloudflare DNS-01 ACME challenge
+CLOUDFLARE_DNS_API_TOKEN={{ cloudflare_dns_api_token }}
+CF_ZONE_ID={{ cloudflare_zone_id }}
--- a/roles/services/templates/logrotate/traefik.j2
+++ b/roles/services/templates/logrotate/traefik.j2
@ -0,0 +1,13 @@
+# Generated by Ansible — do not edit manually
+{{ services_root }}/traefik/logs/access.log {
+    daily
+    rotate 14
+    compress
+    delaycompress
+    missingok
+    notifempty
+    create 0640 root root
+    postrotate
+        docker kill --signal=USR1 traefik 2>/dev/null || true
+    endscript
+}
--- a/roles/services/templates/traefik/dynamic/routes.yml.j2
+++ b/roles/services/templates/traefik/dynamic/routes.yml.j2
@ -85,6 +85,14 @@ http:
      service: authelia
      middlewares: [rate-limit-strict]

+    uptime-kuma:
+      rule: "Host(`{{ domain_status }}`)"
+      entrypoints: [websecure]
+      tls:
+        certresolver: letsencrypt
+      service: uptime-kuma
+      middlewares: [rate-limit-default]
+
  services:
    vaultwarden:
      loadBalancer:
@ -131,6 +139,11 @@ http:
        servers:
          - url: "http://authelia:9091"

+    uptime-kuma:
+      loadBalancer:
+        servers:
+          - url: "http://uptime-kuma:3001"
+
  middlewares:
    # ── Security Headers (applied globally via entrypoint) ─────────────────
    security-headers:
--- a/roles/services/templates/traefik/traefik.yml.j2
+++ b/roles/services/templates/traefik/traefik.yml.j2
@ -93,8 +93,12 @@ certificatesResolvers:
    acme:
      email: "{{ acme_email }}"
      storage: /acme/acme.json
-      httpChallenge:
-        entryPoint: web
+      dnsChallenge:
+        provider: cloudflare
+        # Use Cloudflare DNS resolvers to avoid propagation delays
+        resolvers:
+          - "1.1.1.1:53"
+          - "1.0.0.1:53"

 providers:
  file: