10 commits

Author	SHA1	Message	Date
jack	fccbd1a45a	feat: Cloudflare DNS-01 ACME + Docker hardening + sysctl ... Cloudflare DNS-01 ACME: - Switch Traefik cert resolver from httpChallenge to dnsChallenge using Cloudflare provider (resolvers: 1.1.1.1, 1.0.0.1) - Add CLOUDFLARE_DNS_API_TOKEN env to Traefik container - Add CF_ZONE_ID + cloudflare_dns_api_token to all/main.yml - Store API token in Ansible Vault Docker daemon hardening: - Add log-driver: json-file with max-size 10m / max-file 3 (prevents disk fill from unbounded container logs) - Add live-restore: true (containers survive Docker daemon restart) Kernel hardening (sysctl): - New roles/base/tasks/sysctl.yml via ansible.posix.sysctl - IP spoofing protection (rp_filter) - Disable ICMP redirects and broadcast pings - SYN flood protection (syncookies, backlog) - Disable IPv6 (not used) - Restrict kernel pointers and dmesg to root - Disable SysRq, suid core dumps Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 04:06:46 +07:00
jack	fc6b1c0cec	feat: Timeweb S3 offsite backup uploads ... - Add vault_s3_access_key / vault_s3_secret_key to Ansible Vault - Expose via s3_access_key / s3_secret_key in all/main.yml - Add s3_endpoint + s3_bucket to backup role defaults - Install awscli via apt in backup role tasks - Extend backup.sh.j2: upload *.gz to S3 after local backup, prune S3 objects older than backup_retention_days Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 03:58:58 +07:00
jack	aa9706bbc4	feat: comprehensive security hardening ... Traefik: - Enable access logs → /var/log/traefik/access.log (needed for CrowdSec) - Add global security headers middleware: HSTS, X-Frame-Options, CSP, nosniff, XSS filter, referrer policy, permissions policy - Add rate limiting: default 100/s, API 30/s, admin 10/s (strict) - Add Authelia ForwardAuth middleware for SSO integration CrowdSec (new service): - Analyzes Traefik access logs + auth.log in real time - Community IP reputation blocklist (crowdsecurity/traefik + http-cve) - Firewall bouncer: bans malicious IPs at kernel level (iptables) Authelia (new service, auth.csrx.ru): - 2FA/SSO portal with TOTP (Google Authenticator) - Protects: traefik.csrx.ru, sync.csrx.ru, /god-mode/ in Plane - Session: 12h expiry, 30m inactivity, Redis backend - argon2id password hashing Container security: - Add security_opt: no-new-privileges to traefik, vaultwarden, forgejo, grafana, authelia CI/CD security: - Remove hardcoded server IP 87.249.49.32 from workflow - Use SSH_KNOWN_HOSTS secret instead of ssh-keyscan (prevents MITM) - Added SSH_KNOWN_HOSTS secret to Forgejo Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 03:44:54 +07:00
jack	a42ff4afc7	feat: configure Telegram alerting in AlertManager ... Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 03:31:35 +07:00
jack	6ebd237894	feat: major infrastructure improvements ... Reliability: - Add swap role (2GB, swappiness=10, idempotent via /etc/fstab) - Add mem_limit to plane-worker (512m) and plane-beat (256m) - Add health checks to all services (traefik, vaultwarden, forgejo, plane-*, syncthing, prometheus, grafana, loki) Code quality: - Remove Traefik Docker labels (file provider used, labels were dead code) - Add comment explaining file provider architecture Observability: - Add AlertManager with Telegram notifications - Add Prometheus alert rules: CPU, RAM, disk, swap, container health - Add Loki + Promtail for centralized log aggregation - Add Loki datasource to Grafana - Enable Traefik /ping endpoint for health checks Backups: - Add backup role: pg_dump for forgejo + plane DBs, tar for vaultwarden and forgejo data - 7-day retention, daily cron at 03:00 - Backup script at /usr/local/bin/backup-services Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 03:28:16 +07:00
jack	972a76db4c	feat: add monitoring stack (Prometheus + Grafana + cAdvisor + Node Exporter) ... - Adds monitoring Docker network (internal) - Prometheus scrapes node-exporter (host metrics) and cAdvisor (containers) with 30-day retention - Grafana exposed at dashboard.csrx.ru with pre-provisioned datasource and two dashboards: Node Exporter Full (1860) and cAdvisor (14282) - Vault secret: vault_grafana_admin_password Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 03:05:34 +07:00
jack	6afd298730	fix: commit encrypted vault file so CI can decrypt it ... vault.yml was in .gitignore so CI jobs had no vault variables. The file is AES-256 encrypted — safe to commit to a private repo. The password stays in ~/.vault-password-file (still gitignored). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 00:19:44 +07:00
jack	9bfb702322	ci: fix syntax-check vault password, update CI deploy key ... - Add vault password step to syntax-check job (ansible needs it even for --syntax-check) - Regenerate CI deploy SSH key (old private key was lost, new pair generated) - Add VAULT_PASSWORD and SSH_PRIVATE_KEY secrets to Forgejo via API Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-21 23:22:17 +07:00
jack	d2d5f12d5a	Add Forgejo Actions CI/CD with act_runner ... - Add gitea/act_runner:0.3.0 to docker-compose stack on runner-jobs network - Add act_runner config template and directory provisioning - Add FORGEJO_RUNNER_TOKEN to env template - Add CI deploy SSH public key to authorized_keys via base role - Create .forgejo/workflows/deploy.yml: syntax-check on PR, deploy on push to master - Add .claude/launch.json with ansible-playbook configurations Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-21 21:28:15 +07:00
jack	a1b97f3e4b	Initial commit ... Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-20 19:39:26 +07:00