jack/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
90 commits 1 branch 0 tags 692 KiB
Commit graph

11 commits

Author SHA1 Message Date
jack
cbab48fb03 chore: change admin email to walava@tutamail.com
All checks were successful
CI/CD / syntax-check (push) Successful in 1m5s
Details
CI/CD / deploy (push) Successful in 15m48s
Details 
Updates ACME/Let's Encrypt contact email and unattended-upgrades config.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-26 17:43:40 +07:00
jack
66b70827df chore: full project cleanup + documentation
Some checks failed
CI/CD / syntax-check (push) Successful in 1m31s
Details
CI/CD / deploy (push) Has been cancelled
Details 
Syncthing removal (was already decided, now fully removed):
- roles/base/tasks/firewall.yml: remove 3 UFW rules (ports 22000/21027)
- inventory/group_vars/all/main.yml: remove domain_sync, domain_mon, syncthing_basic_auth_htpasswd
- roles/services/templates/env.j2: remove DOMAIN_SYNC
- roles/services/templates/authelia/configuration.yml.j2: remove Syncthing 2FA rule
- roles/services/tasks/directories.yml: remove syncthing/config and syncthing/data dirs
- roles/services/defaults/main.yml: remove syncthing_image
- roles/services/tasks/main.yml: remove syncthing image pull

Security hardening:
- inventory/group_vars/all/main.yml: move cloudflare_zone_id to vault
- inventory/group_vars/all/vault.yml: add vault_cloudflare_zone_id

.gitignore improvements:
- add *.env, acme.json, *.log, editor dirs, venv, temp files

Documentation (new):
- docs/STATUS.md: all services, servers, known issues
- docs/BACKLOG.md: prioritized task list, done/todo
- docs/DECISIONS.md: architecture decisions and rationale
- CLAUDE.md: rewritten with read-first docs, rules, full arch reference

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-22 19:58:12 +07:00
jack
321e1c4daa feat: extend fail2ban with Forgejo SSH and Traefik HTTP jails
Some checks failed
CI/CD / syntax-check (push) Successful in 42s
Details
CI/CD / deploy (push) Failing after 46s
Details 
- Add traefik-auth filter: ban IPs with 10+ HTTP 401/403 in 5 min
- Add forgejo-ssh jail: ban after 3 failed SSH attempts (24h ban)
- Both jails are active; forgejo-ssh already detected 8 real attempts
- Traefik access.log now written to /opt/services/traefik/logs/

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-22 04:51:43 +07:00
jack
5befd48a50 fix: allow Docker bridge networks through UFW for runner + add unattended-upgrades
Some checks are pending
CI/CD / deploy (push) Blocked by required conditions
Details
CI/CD / syntax-check (push) Successful in 41s
Details 
firewall.yml:
- Allow 172.16.0.0/12 and 10.0.0.0/8 on ports 80/443 so act_runner
  job containers can reach git.csrx.ru (Forgejo via Traefik)
- Without this, Cloudflare-only rules broke CI/CD pipeline

unattended_upgrades.yml (new):
- Install unattended-upgrades + apt-listchanges
- Configure auto-apply of security patches only (not all updates)
- Auto-clean every 7 days, remove unused deps
- No auto-reboot (manual control over kernel reboots)

base/tasks/main.yml:
- Add unattended_upgrades.yml to task sequence

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-22 04:11:39 +07:00
jack
fccbd1a45a feat: Cloudflare DNS-01 ACME + Docker hardening + sysctl
Some checks failed
CI/CD / syntax-check (push) Successful in 42s
Details
CI/CD / deploy (push) Failing after 52s
Details 
Cloudflare DNS-01 ACME:
- Switch Traefik cert resolver from httpChallenge to dnsChallenge
  using Cloudflare provider (resolvers: 1.1.1.1, 1.0.0.1)
- Add CLOUDFLARE_DNS_API_TOKEN env to Traefik container
- Add CF_ZONE_ID + cloudflare_dns_api_token to all/main.yml
- Store API token in Ansible Vault

Docker daemon hardening:
- Add log-driver: json-file with max-size 10m / max-file 3
  (prevents disk fill from unbounded container logs)
- Add live-restore: true (containers survive Docker daemon restart)

Kernel hardening (sysctl):
- New roles/base/tasks/sysctl.yml via ansible.posix.sysctl
- IP spoofing protection (rp_filter)
- Disable ICMP redirects and broadcast pings
- SYN flood protection (syncookies, backlog)
- Disable IPv6 (not used)
- Restrict kernel pointers and dmesg to root
- Disable SysRq, suid core dumps

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-22 04:06:46 +07:00
jack
e935c897c6 feat: Cloudflare integration — real IP forwarding + firewall lockdown
Some checks failed
CI/CD / syntax-check (push) Successful in 58s
Details
CI/CD / deploy (push) Failing after 43s
Details 
Traefik traefik.yml.j2:
- Add forwardedHeaders.trustedIPs with all Cloudflare CIDR ranges
  on both web and websecure entrypoints so rate limiting and
  CrowdSec see real visitor IPs, not Cloudflare proxy IPs

firewall.yml:
- Replace open HTTP/HTTPS rules with per-CIDR allow rules
  scoped to Cloudflare IP ranges only
- Direct access to ports 80/443 bypassing Cloudflare is now blocked

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-22 04:02:06 +07:00
jack
a344998405 feat: add uptime-kuma pull, logrotate deploy task, logrotate package
Some checks failed
CI/CD / syntax-check (push) Successful in 41s
Details
CI/CD / deploy (push) Failing after 39s
Details 
- Add uptime_kuma_image to image pull loop in services/tasks/main.yml
- Add logrotate deploy task to services/tasks/configs.yml
- Add logrotate package to base_packages

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-22 03:54:24 +07:00
jack
6ebd237894 feat: major infrastructure improvements
Some checks failed
CI/CD / deploy (push) Has been cancelled
Details
CI/CD / syntax-check (push) Successful in 1m7s
Details 
Reliability:
- Add swap role (2GB, swappiness=10, idempotent via /etc/fstab)
- Add mem_limit to plane-worker (512m) and plane-beat (256m)
- Add health checks to all services (traefik, vaultwarden, forgejo,
  plane-*, syncthing, prometheus, grafana, loki)

Code quality:
- Remove Traefik Docker labels (file provider used, labels were dead code)
- Add comment explaining file provider architecture

Observability:
- Add AlertManager with Telegram notifications
- Add Prometheus alert rules: CPU, RAM, disk, swap, container health
- Add Loki + Promtail for centralized log aggregation
- Add Loki datasource to Grafana
- Enable Traefik /ping endpoint for health checks

Backups:
- Add backup role: pg_dump for forgejo + plane DBs, tar for
  vaultwarden and forgejo data
- 7-day retention, daily cron at 03:00
- Backup script at /usr/local/bin/backup-services

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-22 03:28:16 +07:00
jack
d2d5f12d5a Add Forgejo Actions CI/CD with act_runner
Some checks failed
CI/CD / syntax-check (push) Failing after 12s
Details
CI/CD / deploy (push) Has been skipped
Details 
- Add gitea/act_runner:0.3.0 to docker-compose stack on runner-jobs network
- Add act_runner config template and directory provisioning
- Add FORGEJO_RUNNER_TOKEN to env template
- Add CI deploy SSH public key to authorized_keys via base role
- Create .forgejo/workflows/deploy.yml: syntax-check on PR, deploy on push to master
- Add .claude/launch.json with ansible-playbook configurations

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-21 21:28:15 +07:00
jack
652737239d Add Forgejo SSH port 2222 and open in UFW 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-20 19:43:22 +07:00
jack
a1b97f3e4b Initial commit 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-20 19:39:26 +07:00