infra

jack/infra

Author	SHA1	Message	Date
jack	472c2b944b	feat: replace Outline with Docmost Some checks failed CI/CD / syntax-check (push) Successful in 1m0s Details CI/CD / deploy (push) Failing after 5m1s Details - Replace outline/outline-db/outline-redis with docmost/docmost-db/docmost-redis - Update Traefik route: wiki → http://docmost:3000 - Update S3 bucket: walava-outline → walava-docmost (new bucket created: 481385) - Remove env.outline.j2 deploy task (Docmost config is inline in compose) - Update backup script: outline.sql.gz → docmost.sql.gz - Update CORS task for walava-docmost bucket - Add vault_docmost_app_secret + vault_docmost_db_password secrets - Remove outline_mcp_image (no longer needed) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-27 09:31:51 +07:00
jack	8a3aaa2fca	feat: Terraform infra-as-code + delete mon server + fix S3/Outline Terraform: imported main (7004701) + tools (7076013) into state, destroyed mon (7076015, 188.225.79.34). State: No changes. S3: fix endpoint s3.timeweb.cloud → s3.twcstorage.ru (actual Timeweb endpoint), remove AWS_S3_ACL=private (Timeweb doesn't support per-object ACLs — was causing Outline upload failures). Vault: added vault_timeweb_token. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-27 04:26:33 +07:00
jack	e754d54e81	chore: add outline-mcp to tools stack, clean up stale authelia vars Some checks are pending CI/CD / syntax-check (push) Waiting to run Details CI/CD / deploy (push) Blocked by required conditions Details - Add outline-mcp service to tools docker-compose (was running unmanaged) - Update OUTLINE_URL from csrx.ru → walava.io via domain_wiki variable - Bind port 8765 to 127.0.0.1 only (was 0.0.0.0 — security improvement) - Add vault_outline_mcp_api_key to vault + alias in main.yml - Remove stale authelia_* aliases from main.yml (authelia removed) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-26 22:54:14 +07:00
jack	fb769b2f8c	feat: migrate domain from csrx.ru to walava.io Some checks failed CI/CD / syntax-check (push) Successful in 1m44s Details CI/CD / deploy (push) Failing after 20m21s Details - domain_base changed to walava.io - domain_n8n now auto.walava.io - Added domain_landing for walava.io root - Added walava-web landing page container + Traefik route - Updated Cloudflare token/zone_id for walava.io account - Updated ACME email to walava@tutamail.com - Fixed discord-bot image to use domain_base variable - DNS records already created in Cloudflare Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-26 22:17:00 +07:00
jack	cbab48fb03	chore: change admin email to walava@tutamail.com All checks were successful CI/CD / syntax-check (push) Successful in 1m5s Details CI/CD / deploy (push) Successful in 15m48s Details Updates ACME/Let's Encrypt contact email and unattended-upgrades config. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-26 17:43:40 +07:00
jack	8b140473b4	feat: add Resend SMTP for Outline email auth Some checks failed CI/CD / syntax-check (push) Successful in 1m8s Details CI/CD / deploy (push) Has been cancelled Details Configures smtp.resend.com as SMTP provider for Outline magic links. Domain csrx.ru needs verification in Resend dashboard. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-26 17:38:35 +07:00
jack	4b00804f3e	fix: use forgejo_api_token for webhook creation, cover both repos Some checks failed CI/CD / syntax-check (push) Successful in 1m6s Details CI/CD / deploy (push) Has been cancelled Details - Add vault_forgejo_api_token (Personal Access Token with write:repository) - Ansible task now creates Discord webhook on both jack/infra and jack/discord-bot - Webhooks already created manually for this deploy Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-26 05:53:25 +07:00
jack	0315ee6a72	feat: add Discord bot service + workflow_dispatch trigger All checks were successful CI/CD / syntax-check (push) Successful in 1m5s Details CI/CD / deploy (push) Successful in 14m7s Details - Add discord-bot container to docker-compose (uses git.csrx.ru registry image) - Inject DISCORD_BOT_TOKEN via .env, bot accesses Docker socket + Prometheus - Add vault_discord_bot_{token,app_id,public_key}, aliases in main.yml - Add workflow_dispatch to deploy.yml so /deploy bot command works Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-26 05:27:42 +07:00
jack	f6f283944f	vault: add OpenRouter API key, remove Syncthing remnant Some checks failed CI/CD / syntax-check (push) Successful in 1m6s Details CI/CD / deploy (push) Has been cancelled Details - Added vault_openrouter_api_key for n8n AI automations - Added openrouter_api_key alias in main.yml - Removed vault_syncthing_basic_auth_htpasswd (Syncthing was removed) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-26 05:16:44 +07:00
jack	d83ead2cbe	feat(discord): integrate alerts and deploy notifications Some checks failed CI/CD / syntax-check (push) Successful in 1m3s Details CI/CD / deploy (push) Has been cancelled Details - Add discord_webhook_alerts and discord_webhook_deploys to vault + main.yml - AlertManager: send alerts to both Telegram and Discord #alerts channel - Forgejo: auto-create Discord webhook on repo pushes → #deploys channel Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-26 04:58:12 +07:00
jack	75bed6bb04	feat: remove mail stack and Vaultwarden Some checks failed CI/CD / syntax-check (push) Successful in 1m15s Details CI/CD / deploy (push) Has been cancelled Details Removed services: - docker-mailserver (Postfix + Dovecot) - SnappyMail webmail - Vaultwarden password manager Removed infrastructure: - certbot + Cloudflare DNS-01 TLS for mx.csrx.ru - UFW rules for ports 25/587/993/465 - mail-internal and webmail-internal Docker networks - SMTP config from Outline env - vault, mail Traefik routes - All related vault secrets and variables Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-26 04:06:29 +07:00
jack	66b70827df	chore: full project cleanup + documentation Some checks failed CI/CD / syntax-check (push) Successful in 1m31s Details CI/CD / deploy (push) Has been cancelled Details Syncthing removal (was already decided, now fully removed): - roles/base/tasks/firewall.yml: remove 3 UFW rules (ports 22000/21027) - inventory/group_vars/all/main.yml: remove domain_sync, domain_mon, syncthing_basic_auth_htpasswd - roles/services/templates/env.j2: remove DOMAIN_SYNC - roles/services/templates/authelia/configuration.yml.j2: remove Syncthing 2FA rule - roles/services/tasks/directories.yml: remove syncthing/config and syncthing/data dirs - roles/services/defaults/main.yml: remove syncthing_image - roles/services/tasks/main.yml: remove syncthing image pull Security hardening: - inventory/group_vars/all/main.yml: move cloudflare_zone_id to vault - inventory/group_vars/all/vault.yml: add vault_cloudflare_zone_id .gitignore improvements: - add .env, acme.json, .log, editor dirs, venv, temp files Documentation (new): - docs/STATUS.md: all services, servers, known issues - docs/BACKLOG.md: prioritized task list, done/todo - docs/DECISIONS.md: architecture decisions and rationale - CLAUDE.md: rewritten with read-first docs, rules, full arch reference Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 19:58:12 +07:00
jack	644b5b74c1	feat: add SnappyMail webmail and docker-mailserver with full send/receive Some checks failed CI/CD / syntax-check (push) Successful in 1m35s Details CI/CD / deploy (push) Failing after 17m28s Details - Add docker-mailserver (Postfix+Dovecot) with SSL via certbot+Cloudflare DNS-01 - Add SnappyMail webmail client at webmail.csrx.ru (port 8888) - Open UFW ports 25/465/587/993 on tools server - Create mail accounts: noreply@, admin@, jack@csrx.ru - Generate DKIM key and print DNS instructions on first run - Add Traefik route on main server proxying webmail → tools:8888 - Add all secrets to vault (mailserver passwords, snappymail admin) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 17:21:25 +07:00
jack	26c0df851e	feat: full mail server — send + receive for @csrx.ru Some checks failed CI/CD / syntax-check (push) Successful in 1m25s Details CI/CD / deploy (push) Has been cancelled Details Upgrade docker-mailserver from SMTP_ONLY to full Postfix + Dovecot: - Remove SMTP_ONLY, enable Dovecot (IMAP) and Rspamd (spam filter) - Expose ports 25 (SMTP), 587 (submission), 993 (IMAPS), 465 (SMTPS) - SSL_TYPE=letsencrypt — certbot obtains cert for mail.csrx.ru via Cloudflare DNS-01 challenge (uses existing cloudflare_dns_api_token) - UFW: open ports 25, 587, 993, 465 - Accounts: admin@csrx.ru, jack@csrx.ru, noreply@csrx.ru Mail client settings after deploy: IMAP: mail.csrx.ru:993 (SSL) SMTP: mail.csrx.ru:587 (STARTTLS) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 17:16:09 +07:00
jack	b616c18c58	feat: add docker-mailserver for self-hosted outbound SMTP Some checks failed CI/CD / syntax-check (push) Successful in 1m6s Details CI/CD / deploy (push) Failing after 18m22s Details Adds docker-mailserver (SMTP_ONLY mode) to the tools stack so Outline can send magic-link emails without depending on an external SMTP provider. Changes: - docker-compose.yml.j2: add mailserver service + mail-internal network outline gets mail-internal network to reach mailserver - env.j2: point Outline SMTP at local mailserver:587 with noreply account - defaults/main.yml: add mailserver_image (v14) - tasks/main.yml: create mailserver dirs, wait for postfix ready, idempotent account creation, DKIM key generation + DNS instructions - inventory/group_vars/all/main.yml: add mailserver_noreply_password alias - vault.yml: add vault_mailserver_noreply_password After deploy, Ansible will print DKIM/SPF/DMARC DNS records to add to Cloudflare. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 16:28:29 +07:00
jack	92d2c845d8	feat: add n8n, outline routes, remove syncthing, fix backup awscli Some checks failed CI/CD / syntax-check (push) Successful in 1m14s Details CI/CD / deploy (push) Failing after 10m51s Details - Add n8n to tools server (n8n.csrx.ru) - Add cross-server Traefik routes: wiki.csrx.ru + n8n.csrx.ru → tools - Remove Syncthing (replaced by Outline wiki) - Fix awscli install: download static binary (apt/pip broken on Ubuntu 24.04) - Add n8n secrets to vault (encryption key + JWT secret) - Improve CI/CD workflow: syntax-check both playbooks, deploy both servers - Update site.yml: unified single-command deploy for all servers Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 06:19:39 +07:00
jack	05bcbab858	feat: add tools role (Outline wiki) + 3-server architecture Some checks failed CI/CD / syntax-check (push) Successful in 59s Details CI/CD / deploy (push) Failing after 11m20s Details Services: - Outline wiki at wiki.csrx.ru → visual-tools:3000 - Outline uses Timeweb S3 (visual-outline bucket) for files Structure: - roles/tools/ — docker-compose + env templates for tools server - playbooks/tools.yml — deploys base+docker+tools to visual-tools Config changes: - domain_dashboard: dashboard → dash.csrx.ru - domain_wiki: wiki.csrx.ru (new) - domain_mon: mon.csrx.ru (new, for Grafana) - ip_main/tools/mon vars for cross-server Traefik routing - outline_* secrets added to vault + main.yml aliases Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 05:36:04 +07:00
jack	85a5857a5f	infra: add visual-tools and visual-mon servers, fix inventory Some checks failed CI/CD / syntax-check (push) Successful in 44s Details CI/CD / deploy (push) Has been cancelled Details - Add 2 new Timeweb VPS (1vCPU/2GB/30GB, 550₽/мес each): visual-tools 85.193.83.9 — Outline, Uptime Kuma visual-mon 188.225.79.34 — Grafana, Prometheus, Loki, AlertManager - Restructure hosts.ini into groups: [main] [tools] [mon] [all_servers] - Update bootstrap.yml to target all_servers group - Fix vault.yml: replace invalid YAML escape \$ with single-quoted string in vault_authelia_admin_password_hash (caused YAML parse error) Budget: ~1000 + 550 + 550 = 2100₽/мес (well within 3000₽ limit) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 05:28:07 +07:00
jack	fccbd1a45a	feat: Cloudflare DNS-01 ACME + Docker hardening + sysctl Some checks failed CI/CD / syntax-check (push) Successful in 42s Details CI/CD / deploy (push) Failing after 52s Details Cloudflare DNS-01 ACME: - Switch Traefik cert resolver from httpChallenge to dnsChallenge using Cloudflare provider (resolvers: 1.1.1.1, 1.0.0.1) - Add CLOUDFLARE_DNS_API_TOKEN env to Traefik container - Add CF_ZONE_ID + cloudflare_dns_api_token to all/main.yml - Store API token in Ansible Vault Docker daemon hardening: - Add log-driver: json-file with max-size 10m / max-file 3 (prevents disk fill from unbounded container logs) - Add live-restore: true (containers survive Docker daemon restart) Kernel hardening (sysctl): - New roles/base/tasks/sysctl.yml via ansible.posix.sysctl - IP spoofing protection (rp_filter) - Disable ICMP redirects and broadcast pings - SYN flood protection (syncookies, backlog) - Disable IPv6 (not used) - Restrict kernel pointers and dmesg to root - Disable SysRq, suid core dumps Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 04:06:46 +07:00
jack	fc6b1c0cec	feat: Timeweb S3 offsite backup uploads Some checks failed CI/CD / syntax-check (push) Successful in 39s Details CI/CD / deploy (push) Has been cancelled Details - Add vault_s3_access_key / vault_s3_secret_key to Ansible Vault - Expose via s3_access_key / s3_secret_key in all/main.yml - Add s3_endpoint + s3_bucket to backup role defaults - Install awscli via apt in backup role tasks - Extend backup.sh.j2: upload *.gz to S3 after local backup, prune S3 objects older than backup_retention_days Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 03:58:58 +07:00
jack	aa9706bbc4	feat: comprehensive security hardening Some checks failed CI/CD / syntax-check (push) Successful in 43s Details CI/CD / deploy (push) Failing after 59s Details Traefik: - Enable access logs → /var/log/traefik/access.log (needed for CrowdSec) - Add global security headers middleware: HSTS, X-Frame-Options, CSP, nosniff, XSS filter, referrer policy, permissions policy - Add rate limiting: default 100/s, API 30/s, admin 10/s (strict) - Add Authelia ForwardAuth middleware for SSO integration CrowdSec (new service): - Analyzes Traefik access logs + auth.log in real time - Community IP reputation blocklist (crowdsecurity/traefik + http-cve) - Firewall bouncer: bans malicious IPs at kernel level (iptables) Authelia (new service, auth.csrx.ru): - 2FA/SSO portal with TOTP (Google Authenticator) - Protects: traefik.csrx.ru, sync.csrx.ru, /god-mode/ in Plane - Session: 12h expiry, 30m inactivity, Redis backend - argon2id password hashing Container security: - Add security_opt: no-new-privileges to traefik, vaultwarden, forgejo, grafana, authelia CI/CD security: - Remove hardcoded server IP 87.249.49.32 from workflow - Use SSH_KNOWN_HOSTS secret instead of ssh-keyscan (prevents MITM) - Added SSH_KNOWN_HOSTS secret to Forgejo Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 03:44:54 +07:00
jack	a42ff4afc7	feat: configure Telegram alerting in AlertManager All checks were successful CI/CD / syntax-check (push) Successful in 1m28s Details CI/CD / deploy (push) Successful in 6m52s Details Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 03:31:35 +07:00
jack	6ebd237894	feat: major infrastructure improvements Some checks failed CI/CD / deploy (push) Has been cancelled Details CI/CD / syntax-check (push) Successful in 1m7s Details Reliability: - Add swap role (2GB, swappiness=10, idempotent via /etc/fstab) - Add mem_limit to plane-worker (512m) and plane-beat (256m) - Add health checks to all services (traefik, vaultwarden, forgejo, plane-*, syncthing, prometheus, grafana, loki) Code quality: - Remove Traefik Docker labels (file provider used, labels were dead code) - Add comment explaining file provider architecture Observability: - Add AlertManager with Telegram notifications - Add Prometheus alert rules: CPU, RAM, disk, swap, container health - Add Loki + Promtail for centralized log aggregation - Add Loki datasource to Grafana - Enable Traefik /ping endpoint for health checks Backups: - Add backup role: pg_dump for forgejo + plane DBs, tar for vaultwarden and forgejo data - 7-day retention, daily cron at 03:00 - Backup script at /usr/local/bin/backup-services Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 03:28:16 +07:00
jack	972a76db4c	feat: add monitoring stack (Prometheus + Grafana + cAdvisor + Node Exporter) All checks were successful CI/CD / syntax-check (push) Successful in 3m0s Details CI/CD / deploy (push) Successful in 6m51s Details - Adds monitoring Docker network (internal) - Prometheus scrapes node-exporter (host metrics) and cAdvisor (containers) with 30-day retention - Grafana exposed at dashboard.csrx.ru with pre-provisioned datasource and two dashboards: Node Exporter Full (1860) and cAdvisor (14282) - Vault secret: vault_grafana_admin_password Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 03:05:34 +07:00
jack	6afd298730	fix: commit encrypted vault file so CI can decrypt it All checks were successful CI/CD / syntax-check (push) Successful in 2m0s Details CI/CD / deploy (push) Successful in 7m43s Details vault.yml was in .gitignore so CI jobs had no vault variables. The file is AES-256 encrypted — safe to commit to a private repo. The password stays in ~/.vault-password-file (still gitignored). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 00:19:44 +07:00

25 commits