jack/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
108 commits 1 branch 0 tags 755 KiB
Commit graph

11 commits

Author SHA1 Message Date
jack
5f44441bd1 fix: remove grafana_admin_password from env.j2, delete dead prometheus templates
Some checks failed
CI/CD / syntax-check (push) Successful in 1m2s
Details
CI/CD / deploy (push) Has been cancelled
Details 
These files referenced variables removed in the previous refactor commit,
causing deploy failure (undefined variable: grafana_admin_password).
 2026-03-27 19:21:51 +07:00
jack
d635522199 feat: remove Authelia, protect dashboard with basic auth
Some checks are pending
CI/CD / syntax-check (push) Waiting to run
Details
CI/CD / deploy (push) Blocked by required conditions
Details 
Authelia was unused overhead — only traefik-dashboard and plane /god-mode/
were behind it. Dashboard now uses traefik-auth (basic auth). /god-mode/
uses rate-limit-strict only.

Removes: authelia + authelia-redis containers, authelia-internal network,
authelia_data volume, authelia router/service/forwardAuth middleware.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-26 22:50:41 +07:00
jack
2770cb61ef fix: CF_DNS_API_TOKEN env var name for Traefik ACME + n8n domain update
Some checks are pending
CI/CD / syntax-check (push) Waiting to run
Details
CI/CD / deploy (push) Blocked by required conditions
Details 
- Fix env var CLOUDFLARE_DNS_API_TOKEN → CF_DNS_API_TOKEN (lego requirement)
- n8n env already uses domain_n8n variable (auto.walava.io)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-26 22:44:05 +07:00
jack
0315ee6a72 feat: add Discord bot service + workflow_dispatch trigger
All checks were successful
CI/CD / syntax-check (push) Successful in 1m5s
Details
CI/CD / deploy (push) Successful in 14m7s
Details 
- Add discord-bot container to docker-compose (uses git.csrx.ru registry image)
- Inject DISCORD_BOT_TOKEN via .env, bot accesses Docker socket + Prometheus
- Add vault_discord_bot_{token,app_id,public_key}, aliases in main.yml
- Add workflow_dispatch to deploy.yml so /deploy bot command works

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-26 05:27:42 +07:00
jack
58e9a0f08b fix: remove vaultwarden_admin_token and DOMAIN_VAULT from env.j2
Some checks failed
CI/CD / syntax-check (push) Successful in 1m3s
Details
CI/CD / deploy (push) Failing after 6m54s
Details 
Leftover after Vaultwarden removal caused CI/CD deploy to fail with
'vaultwarden_admin_token is undefined' during .env template rendering.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-26 04:38:12 +07:00
jack
66b70827df chore: full project cleanup + documentation
Some checks failed
CI/CD / syntax-check (push) Successful in 1m31s
Details
CI/CD / deploy (push) Has been cancelled
Details 
Syncthing removal (was already decided, now fully removed):
- roles/base/tasks/firewall.yml: remove 3 UFW rules (ports 22000/21027)
- inventory/group_vars/all/main.yml: remove domain_sync, domain_mon, syncthing_basic_auth_htpasswd
- roles/services/templates/env.j2: remove DOMAIN_SYNC
- roles/services/templates/authelia/configuration.yml.j2: remove Syncthing 2FA rule
- roles/services/tasks/directories.yml: remove syncthing/config and syncthing/data dirs
- roles/services/defaults/main.yml: remove syncthing_image
- roles/services/tasks/main.yml: remove syncthing image pull

Security hardening:
- inventory/group_vars/all/main.yml: move cloudflare_zone_id to vault
- inventory/group_vars/all/vault.yml: add vault_cloudflare_zone_id

.gitignore improvements:
- add *.env, acme.json, *.log, editor dirs, venv, temp files

Documentation (new):
- docs/STATUS.md: all services, servers, known issues
- docs/BACKLOG.md: prioritized task list, done/todo
- docs/DECISIONS.md: architecture decisions and rationale
- CLAUDE.md: rewritten with read-first docs, rules, full arch reference

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-22 19:58:12 +07:00
jack
fccbd1a45a feat: Cloudflare DNS-01 ACME + Docker hardening + sysctl
Some checks failed
CI/CD / syntax-check (push) Successful in 42s
Details
CI/CD / deploy (push) Failing after 52s
Details 
Cloudflare DNS-01 ACME:
- Switch Traefik cert resolver from httpChallenge to dnsChallenge
  using Cloudflare provider (resolvers: 1.1.1.1, 1.0.0.1)
- Add CLOUDFLARE_DNS_API_TOKEN env to Traefik container
- Add CF_ZONE_ID + cloudflare_dns_api_token to all/main.yml
- Store API token in Ansible Vault

Docker daemon hardening:
- Add log-driver: json-file with max-size 10m / max-file 3
  (prevents disk fill from unbounded container logs)
- Add live-restore: true (containers survive Docker daemon restart)

Kernel hardening (sysctl):
- New roles/base/tasks/sysctl.yml via ansible.posix.sysctl
- IP spoofing protection (rp_filter)
- Disable ICMP redirects and broadcast pings
- SYN flood protection (syncookies, backlog)
- Disable IPv6 (not used)
- Restrict kernel pointers and dmesg to root
- Disable SysRq, suid core dumps

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-22 04:06:46 +07:00
jack
aa9706bbc4 feat: comprehensive security hardening
Some checks failed
CI/CD / syntax-check (push) Successful in 43s
Details
CI/CD / deploy (push) Failing after 59s
Details 
Traefik:
- Enable access logs → /var/log/traefik/access.log (needed for CrowdSec)
- Add global security headers middleware: HSTS, X-Frame-Options, CSP,
  nosniff, XSS filter, referrer policy, permissions policy
- Add rate limiting: default 100/s, API 30/s, admin 10/s (strict)
- Add Authelia ForwardAuth middleware for SSO integration

CrowdSec (new service):
- Analyzes Traefik access logs + auth.log in real time
- Community IP reputation blocklist (crowdsecurity/traefik + http-cve)
- Firewall bouncer: bans malicious IPs at kernel level (iptables)

Authelia (new service, auth.csrx.ru):
- 2FA/SSO portal with TOTP (Google Authenticator)
- Protects: traefik.csrx.ru, sync.csrx.ru, /god-mode/ in Plane
- Session: 12h expiry, 30m inactivity, Redis backend
- argon2id password hashing

Container security:
- Add security_opt: no-new-privileges to traefik, vaultwarden,
  forgejo, grafana, authelia

CI/CD security:
- Remove hardcoded server IP 87.249.49.32 from workflow
- Use SSH_KNOWN_HOSTS secret instead of ssh-keyscan (prevents MITM)
- Added SSH_KNOWN_HOSTS secret to Forgejo

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-22 03:44:54 +07:00
jack
972a76db4c feat: add monitoring stack (Prometheus + Grafana + cAdvisor + Node Exporter)
All checks were successful
CI/CD / syntax-check (push) Successful in 3m0s
Details
CI/CD / deploy (push) Successful in 6m51s
Details 
- Adds monitoring Docker network (internal)
- Prometheus scrapes node-exporter (host metrics) and cAdvisor (containers)
  with 30-day retention
- Grafana exposed at dashboard.csrx.ru with pre-provisioned datasource
  and two dashboards: Node Exporter Full (1860) and cAdvisor (14282)
- Vault secret: vault_grafana_admin_password

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-22 03:05:34 +07:00
jack
d2d5f12d5a Add Forgejo Actions CI/CD with act_runner
Some checks failed
CI/CD / syntax-check (push) Failing after 12s
Details
CI/CD / deploy (push) Has been skipped
Details 
- Add gitea/act_runner:0.3.0 to docker-compose stack on runner-jobs network
- Add act_runner config template and directory provisioning
- Add FORGEJO_RUNNER_TOKEN to env template
- Add CI deploy SSH public key to authorized_keys via base role
- Create .forgejo/workflows/deploy.yml: syntax-check on PR, deploy on push to master
- Add .claude/launch.json with ansible-playbook configurations

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-21 21:28:15 +07:00
jack
a1b97f3e4b Initial commit 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-20 19:39:26 +07:00