jack/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
107 commits 1 branch 0 tags 784 KiB
Commit graph

9 commits

Author SHA1 Message Date
jack
44ccdf4882 refactor: remove tools server, Vaultwarden, monitoring stack; rename plane→hub
Some checks failed
CI/CD / syntax-check (push) Successful in 1m30s
Details
CI/CD / deploy (push) Failing after 6m8s
Details 
- Remove tools server entirely (roles/tools, playbooks/tools.yml, CI deploy step)
- Remove Vaultwarden (already absent from compose, clean up vars)
- Remove node-exporter, cadvisor, promtail from main stack
- Remove grafana/uptime-kuma Traefik routes (pointed to tools)
- Remove monitoring network from docker-compose
- Remove tools vault vars (grafana_admin_password, alertmanager telegram)
- Rename domain_plane: plane.walava.io → hub.walava.io
- Update CI workflow to only deploy main server
- Update STATUS.md and BACKLOG.md to reflect current state
 2026-03-27 19:05:19 +07:00
jack
0315ee6a72 feat: add Discord bot service + workflow_dispatch trigger
All checks were successful
CI/CD / syntax-check (push) Successful in 1m5s
Details
CI/CD / deploy (push) Successful in 14m7s
Details 
- Add discord-bot container to docker-compose (uses git.csrx.ru registry image)
- Inject DISCORD_BOT_TOKEN via .env, bot accesses Docker socket + Prometheus
- Add vault_discord_bot_{token,app_id,public_key}, aliases in main.yml
- Add workflow_dispatch to deploy.yml so /deploy bot command works

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-26 05:27:42 +07:00
jack
54ba45acaa fix: ensure SSH private key has trailing newline in CI workflow
Some checks failed
CI/CD / syntax-check (push) Successful in 1m10s
Details
CI/CD / deploy (push) Failing after 11m44s
Details 
printf '%s' strips trailing newlines; use printf '%s\n' to ensure
the OpenSSH key file is well-formed and passes libcrypto validation.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-22 15:18:09 +07:00
jack
92d2c845d8 feat: add n8n, outline routes, remove syncthing, fix backup awscli
Some checks failed
CI/CD / syntax-check (push) Successful in 1m14s
Details
CI/CD / deploy (push) Failing after 10m51s
Details 
- Add n8n to tools server (n8n.csrx.ru)
- Add cross-server Traefik routes: wiki.csrx.ru + n8n.csrx.ru → tools
- Remove Syncthing (replaced by Outline wiki)
- Fix awscli install: download static binary (apt/pip broken on Ubuntu 24.04)
- Add n8n secrets to vault (encryption key + JWT secret)
- Improve CI/CD workflow: syntax-check both playbooks, deploy both servers
- Update site.yml: unified single-command deploy for all servers

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-22 06:19:39 +07:00
jack
aa9706bbc4 feat: comprehensive security hardening
Some checks failed
CI/CD / syntax-check (push) Successful in 43s
Details
CI/CD / deploy (push) Failing after 59s
Details 
Traefik:
- Enable access logs → /var/log/traefik/access.log (needed for CrowdSec)
- Add global security headers middleware: HSTS, X-Frame-Options, CSP,
  nosniff, XSS filter, referrer policy, permissions policy
- Add rate limiting: default 100/s, API 30/s, admin 10/s (strict)
- Add Authelia ForwardAuth middleware for SSO integration

CrowdSec (new service):
- Analyzes Traefik access logs + auth.log in real time
- Community IP reputation blocklist (crowdsecurity/traefik + http-cve)
- Firewall bouncer: bans malicious IPs at kernel level (iptables)

Authelia (new service, auth.csrx.ru):
- 2FA/SSO portal with TOTP (Google Authenticator)
- Protects: traefik.csrx.ru, sync.csrx.ru, /god-mode/ in Plane
- Session: 12h expiry, 30m inactivity, Redis backend
- argon2id password hashing

Container security:
- Add security_opt: no-new-privileges to traefik, vaultwarden,
  forgejo, grafana, authelia

CI/CD security:
- Remove hardcoded server IP 87.249.49.32 from workflow
- Use SSH_KNOWN_HOSTS secret instead of ssh-keyscan (prevents MITM)
- Added SSH_KNOWN_HOSTS secret to Forgejo

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-22 03:44:54 +07:00
jack
48f34e3e93 ci: fix ansible-galaxy --quiet flag (not supported)
Some checks failed
CI/CD / syntax-check (push) Successful in 2m9s
Details
CI/CD / deploy (push) Failing after 3m0s
Details 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-21 23:31:33 +07:00
jack
9bfb702322 ci: fix syntax-check vault password, update CI deploy key
Some checks failed
CI/CD / syntax-check (push) Successful in 2m24s
Details
CI/CD / deploy (push) Failing after 2m4s
Details 
- Add vault password step to syntax-check job (ansible needs it even for --syntax-check)
- Regenerate CI deploy SSH key (old private key was lost, new pair generated)
- Add VAULT_PASSWORD and SSH_PRIVATE_KEY secrets to Forgejo via API

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-21 23:22:17 +07:00
jack
6580e42f53 Fix CI workflow: remove container directive, use runner image directly
Some checks failed
CI/CD / syntax-check (push) Failing after 2m13s
Details
CI/CD / deploy (push) Has been skipped
Details 
- Remove container: python:3.12-slim (lacked Node.js for actions/checkout)
- Use runner's ubuntu-latest image which has Node.js + Python pre-installed
- Fix deploy job if condition (remove ${{ }} wrapper)
- Enable debug logging in act_runner config

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-21 22:34:56 +07:00
jack
d2d5f12d5a Add Forgejo Actions CI/CD with act_runner
Some checks failed
CI/CD / syntax-check (push) Failing after 12s
Details
CI/CD / deploy (push) Has been skipped
Details 
- Add gitea/act_runner:0.3.0 to docker-compose stack on runner-jobs network
- Add act_runner config template and directory provisioning
- Add FORGEJO_RUNNER_TOKEN to env template
- Add CI deploy SSH public key to authorized_keys via base role
- Create .forgejo/workflows/deploy.yml: syntax-check on PR, deploy on push to master
- Add .claude/launch.json with ansible-playbook configurations

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-21 21:28:15 +07:00