8 commits

Author	SHA1	Message	Date
jack	fde51352d7	feat: migrate monitoring to tools server, fix Outline S3 uploads ... Monitoring stack (Prometheus, AlertManager, Grafana, Loki, Uptime Kuma) moved from main to tools server. Prometheus now scrapes main exporters over network (ip_main:9100/8080). Promtail pushes logs to ip_tools:3100. Traefik routes for dash/status.walava.io updated to ip_tools. discord-bot PROMETHEUS_URL updated to http://ip_tools:9090. Outline S3 fix: remove AWS_S3_ACL=private (Timeweb doesn't support per-object ACLs — caused upload failures). Add CORS configuration task for browser-side presigned uploads. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-27 04:10:28 +07:00
jack	a620bb381c	fix: remove all remaining Vaultwarden references after service removal ... - tasks/main.yml: remove vaultwarden_image from image pull list - tasks/directories.yml: remove vaultwarden/data directory creation - backup.sh.j2: remove Vaultwarden backup/restore section and stop command Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-26 04:49:12 +07:00
jack	66b70827df	chore: full project cleanup + documentation ... Syncthing removal (was already decided, now fully removed): - roles/base/tasks/firewall.yml: remove 3 UFW rules (ports 22000/21027) - inventory/group_vars/all/main.yml: remove domain_sync, domain_mon, syncthing_basic_auth_htpasswd - roles/services/templates/env.j2: remove DOMAIN_SYNC - roles/services/templates/authelia/configuration.yml.j2: remove Syncthing 2FA rule - roles/services/tasks/directories.yml: remove syncthing/config and syncthing/data dirs - roles/services/defaults/main.yml: remove syncthing_image - roles/services/tasks/main.yml: remove syncthing image pull Security hardening: - inventory/group_vars/all/main.yml: move cloudflare_zone_id to vault - inventory/group_vars/all/vault.yml: add vault_cloudflare_zone_id .gitignore improvements: - add *.env, acme.json, *.log, editor dirs, venv, temp files Documentation (new): - docs/STATUS.md: all services, servers, known issues - docs/BACKLOG.md: prioritized task list, done/todo - docs/DECISIONS.md: architecture decisions and rationale - CLAUDE.md: rewritten with read-first docs, rules, full arch reference Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 19:58:12 +07:00
jack	aa9706bbc4	feat: comprehensive security hardening ... Traefik: - Enable access logs → /var/log/traefik/access.log (needed for CrowdSec) - Add global security headers middleware: HSTS, X-Frame-Options, CSP, nosniff, XSS filter, referrer policy, permissions policy - Add rate limiting: default 100/s, API 30/s, admin 10/s (strict) - Add Authelia ForwardAuth middleware for SSO integration CrowdSec (new service): - Analyzes Traefik access logs + auth.log in real time - Community IP reputation blocklist (crowdsecurity/traefik + http-cve) - Firewall bouncer: bans malicious IPs at kernel level (iptables) Authelia (new service, auth.csrx.ru): - 2FA/SSO portal with TOTP (Google Authenticator) - Protects: traefik.csrx.ru, sync.csrx.ru, /god-mode/ in Plane - Session: 12h expiry, 30m inactivity, Redis backend - argon2id password hashing Container security: - Add security_opt: no-new-privileges to traefik, vaultwarden, forgejo, grafana, authelia CI/CD security: - Remove hardcoded server IP 87.249.49.32 from workflow - Use SSH_KNOWN_HOSTS secret instead of ssh-keyscan (prevents MITM) - Added SSH_KNOWN_HOSTS secret to Forgejo Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 03:44:54 +07:00
jack	6ebd237894	feat: major infrastructure improvements ... Reliability: - Add swap role (2GB, swappiness=10, idempotent via /etc/fstab) - Add mem_limit to plane-worker (512m) and plane-beat (256m) - Add health checks to all services (traefik, vaultwarden, forgejo, plane-*, syncthing, prometheus, grafana, loki) Code quality: - Remove Traefik Docker labels (file provider used, labels were dead code) - Add comment explaining file provider architecture Observability: - Add AlertManager with Telegram notifications - Add Prometheus alert rules: CPU, RAM, disk, swap, container health - Add Loki + Promtail for centralized log aggregation - Add Loki datasource to Grafana - Enable Traefik /ping endpoint for health checks Backups: - Add backup role: pg_dump for forgejo + plane DBs, tar for vaultwarden and forgejo data - 7-day retention, daily cron at 03:00 - Backup script at /usr/local/bin/backup-services Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 03:28:16 +07:00
jack	972a76db4c	feat: add monitoring stack (Prometheus + Grafana + cAdvisor + Node Exporter) ... - Adds monitoring Docker network (internal) - Prometheus scrapes node-exporter (host metrics) and cAdvisor (containers) with 30-day retention - Grafana exposed at dashboard.csrx.ru with pre-provisioned datasource and two dashboards: Node Exporter Full (1860) and cAdvisor (14282) - Vault secret: vault_grafana_admin_password Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 03:05:34 +07:00
jack	d2d5f12d5a	Add Forgejo Actions CI/CD with act_runner ... - Add gitea/act_runner:0.3.0 to docker-compose stack on runner-jobs network - Add act_runner config template and directory provisioning - Add FORGEJO_RUNNER_TOKEN to env template - Add CI deploy SSH public key to authorized_keys via base role - Create .forgejo/workflows/deploy.yml: syntax-check on PR, deploy on push to master - Add .claude/launch.json with ansible-playbook configurations Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-21 21:28:15 +07:00
jack	a1b97f3e4b	Initial commit ... Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-20 19:39:26 +07:00