4090d8289b
fix: add username/icon_url to Forgejo Discord webhook config
...
CI/CD / syntax-check (push) Successful in 1m8s
CI/CD / deploy (push) Successful in 13m10s
Prevents the 'meta json: readObjectStart' error on fresh deploys.
Existing hooks already fixed via direct DB update.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-26 06:10:56 +07:00
4b00804f3e
fix: use forgejo_api_token for webhook creation, cover both repos
...
CI/CD / syntax-check (push) Successful in 1m6s
CI/CD / deploy (push) Has been cancelled
- Add vault_forgejo_api_token (Personal Access Token with write:repository)
- Ansible task now creates Discord webhook on both jack/infra and jack/discord-bot
- Webhooks already created manually for this deploy
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-26 05:53:25 +07:00
d83ead2cbe
feat(discord): integrate alerts and deploy notifications
...
CI/CD / syntax-check (push) Successful in 1m3s
CI/CD / deploy (push) Has been cancelled
- Add discord_webhook_alerts and discord_webhook_deploys to vault + main.yml
- AlertManager: send alerts to both Telegram and Discord #alerts channel
- Forgejo: auto-create Discord webhook on repo pushes → #deploys channel
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-26 04:58:12 +07:00
a620bb381c
fix: remove all remaining Vaultwarden references after service removal
...
CI/CD / syntax-check (push) Successful in 1m1s
CI/CD / deploy (push) Has been cancelled
- tasks/main.yml: remove vaultwarden_image from image pull list
- tasks/directories.yml: remove vaultwarden/data directory creation
- backup.sh.j2: remove Vaultwarden backup/restore section and stop command
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-26 04:49:12 +07:00
66b70827df
chore: full project cleanup + documentation
...
CI/CD / syntax-check (push) Successful in 1m31s
CI/CD / deploy (push) Has been cancelled
Syncthing removal (was already decided, now fully removed):
- roles/base/tasks/firewall.yml: remove 3 UFW rules (ports 22000/21027)
- inventory/group_vars/all/main.yml: remove domain_sync, domain_mon, syncthing_basic_auth_htpasswd
- roles/services/templates/env.j2: remove DOMAIN_SYNC
- roles/services/templates/authelia/configuration.yml.j2: remove Syncthing 2FA rule
- roles/services/tasks/directories.yml: remove syncthing/config and syncthing/data dirs
- roles/services/defaults/main.yml: remove syncthing_image
- roles/services/tasks/main.yml: remove syncthing image pull
Security hardening:
- inventory/group_vars/all/main.yml: move cloudflare_zone_id to vault
- inventory/group_vars/all/vault.yml: add vault_cloudflare_zone_id
.gitignore improvements:
- add *.env, acme.json, *.log, editor dirs, venv, temp files
Documentation (new):
- docs/STATUS.md: all services, servers, known issues
- docs/BACKLOG.md: prioritized task list, done/todo
- docs/DECISIONS.md: architecture decisions and rationale
- CLAUDE.md: rewritten with read-first docs, rules, full arch reference
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-22 19:58:12 +07:00
6279bcb9b4
fix: remove cs-firewall-bouncer from image pre-pull list
...
CI/CD / syntax-check (push) Successful in 1m29s
CI/CD / deploy (push) Failing after 9m44s
crowdsecurity/cs-firewall-bouncer:v0.0.31 does not exist on Docker Hub.
The bouncer service was already removed from docker-compose.yml.
Remove from pre-pull list and defaults to unblock CI/CD deploy.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-22 15:39:31 +07:00
a344998405
feat: add uptime-kuma pull, logrotate deploy task, logrotate package
...
CI/CD / syntax-check (push) Successful in 41s
CI/CD / deploy (push) Failing after 39s
- Add uptime_kuma_image to image pull loop in services/tasks/main.yml
- Add logrotate deploy task to services/tasks/configs.yml
- Add logrotate package to base_packages
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-22 03:54:24 +07:00
aa9706bbc4
feat: comprehensive security hardening
...
CI/CD / syntax-check (push) Successful in 43s
CI/CD / deploy (push) Failing after 59s
Traefik:
- Enable access logs → /var/log/traefik/access.log (needed for CrowdSec)
- Add global security headers middleware: HSTS, X-Frame-Options, CSP,
nosniff, XSS filter, referrer policy, permissions policy
- Add rate limiting: default 100/s, API 30/s, admin 10/s (strict)
- Add Authelia ForwardAuth middleware for SSO integration
CrowdSec (new service):
- Analyzes Traefik access logs + auth.log in real time
- Community IP reputation blocklist (crowdsecurity/traefik + http-cve)
- Firewall bouncer: bans malicious IPs at kernel level (iptables)
Authelia (new service, auth.csrx.ru):
- 2FA/SSO portal with TOTP (Google Authenticator)
- Protects: traefik.csrx.ru, sync.csrx.ru, /god-mode/ in Plane
- Session: 12h expiry, 30m inactivity, Redis backend
- argon2id password hashing
Container security:
- Add security_opt: no-new-privileges to traefik, vaultwarden,
forgejo, grafana, authelia
CI/CD security:
- Remove hardcoded server IP 87.249.49.32 from workflow
- Use SSH_KNOWN_HOSTS secret instead of ssh-keyscan (prevents MITM)
- Added SSH_KNOWN_HOSTS secret to Forgejo
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-22 03:44:54 +07:00
6ebd237894
feat: major infrastructure improvements
...
CI/CD / deploy (push) Has been cancelled
CI/CD / syntax-check (push) Successful in 1m7s
Reliability:
- Add swap role (2GB, swappiness=10, idempotent via /etc/fstab)
- Add mem_limit to plane-worker (512m) and plane-beat (256m)
- Add health checks to all services (traefik, vaultwarden, forgejo,
plane-*, syncthing, prometheus, grafana, loki)
Code quality:
- Remove Traefik Docker labels (file provider used, labels were dead code)
- Add comment explaining file provider architecture
Observability:
- Add AlertManager with Telegram notifications
- Add Prometheus alert rules: CPU, RAM, disk, swap, container health
- Add Loki + Promtail for centralized log aggregation
- Add Loki datasource to Grafana
- Enable Traefik /ping endpoint for health checks
Backups:
- Add backup role: pg_dump for forgejo + plane DBs, tar for
vaultwarden and forgejo data
- 7-day retention, daily cron at 03:00
- Backup script at /usr/local/bin/backup-services
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-22 03:28:16 +07:00
972a76db4c
feat: add monitoring stack (Prometheus + Grafana + cAdvisor + Node Exporter)
...
CI/CD / syntax-check (push) Successful in 3m0s
CI/CD / deploy (push) Successful in 6m51s
- Adds monitoring Docker network (internal)
- Prometheus scrapes node-exporter (host metrics) and cAdvisor (containers)
with 30-day retention
- Grafana exposed at dashboard.csrx.ru with pre-provisioned datasource
and two dashboards: Node Exporter Full (1860) and cAdvisor (14282)
- Vault secret: vault_grafana_admin_password
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-22 03:05:34 +07:00
efbbc3cac5
fix: add plane-admin, plane-space and configure instance URLs
...
CI/CD / syntax-check (push) Successful in 2m31s
CI/CD / deploy (push) Has been cancelled
New Plane stable requires 3 frontend services:
- plane-admin (nginx:80) for /god-mode/ routes
- plane-space (node:3000) for /spaces/ routes
- plane-web (nginx:80) for all other routes
Also add APP/ADMIN/SPACE_BASE_URL env vars to plane-api so the
setup wizard knows where to redirect.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-22 02:14:34 +07:00
d2d5f12d5a
Add Forgejo Actions CI/CD with act_runner
...
CI/CD / syntax-check (push) Failing after 12s
CI/CD / deploy (push) Has been skipped
- Add gitea/act_runner:0.3.0 to docker-compose stack on runner-jobs network
- Add act_runner config template and directory provisioning
- Add FORGEJO_RUNNER_TOKEN to env template
- Add CI deploy SSH public key to authorized_keys via base role
- Create .forgejo/workflows/deploy.yml: syntax-check on PR, deploy on push to master
- Add .claude/launch.json with ansible-playbook configurations
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-21 21:28:15 +07:00
a1b97f3e4b
Initial commit
...
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-20 19:39:26 +07:00
