infra

jack/infra

Author	SHA1	Message	Date
jack	6279bcb9b4	fix: remove cs-firewall-bouncer from image pre-pull list Some checks failed CI/CD / syntax-check (push) Successful in 1m29s Details CI/CD / deploy (push) Failing after 9m44s Details crowdsecurity/cs-firewall-bouncer:v0.0.31 does not exist on Docker Hub. The bouncer service was already removed from docker-compose.yml. Remove from pre-pull list and defaults to unblock CI/CD deploy. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 15:39:31 +07:00
jack	28f8c76433	fix: plane and authelia health check URLs Some checks failed CI/CD / syntax-check (push) Successful in 1m21s Details CI/CD / deploy (push) Failing after 12m3s Details - plane-web/admin: localhost:80 → 127.0.0.1:3000 (nginx listens on 3000) - plane-space: localhost:3000 → 127.0.0.1:3000/spaces/ (node server needs basename) - plane-api: localhost:8000/api/ → 127.0.0.1:8000/ (/ returns status OK, /api/ returns 404) - uptime-kuma: localhost:3001 → curl -sf (wget not available in image) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 14:50:08 +07:00
jack	9ca1177461	fix: crowdsec proxy network, uptime-kuma curl healthcheck, outline en_US, n8n 127.0.0.1 Some checks failed CI/CD / syntax-check (push) Successful in 1m4s Details CI/CD / deploy (push) Failing after 10m46s Details - crowdsec: add proxy network for internet access (hub downloads) - crowdsec-bouncer: remove (image crowdsecurity/cs-firewall-bouncer doesn't exist on Docker Hub) - uptime-kuma: switch healthcheck from wget to curl (wget not in image) - outline: fix DEFAULT_LANGUAGE ru_RU → en_US (unsupported locale) - n8n: fix healthcheck localhost → 127.0.0.1 (IPv6 issue in Alpine) - alertmanager: config permissions 0644 (was 0640, container couldn't read) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 08:14:07 +07:00
jack	92d2c845d8	feat: add n8n, outline routes, remove syncthing, fix backup awscli Some checks failed CI/CD / syntax-check (push) Successful in 1m14s Details CI/CD / deploy (push) Failing after 10m51s Details - Add n8n to tools server (n8n.csrx.ru) - Add cross-server Traefik routes: wiki.csrx.ru + n8n.csrx.ru → tools - Remove Syncthing (replaced by Outline wiki) - Fix awscli install: download static binary (apt/pip broken on Ubuntu 24.04) - Add n8n secrets to vault (encryption key + JWT secret) - Improve CI/CD workflow: syntax-check both playbooks, deploy both servers - Update site.yml: unified single-command deploy for all servers Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 06:19:39 +07:00
jack	c2f9a0c21c	feat: wildcard TLS via Cloudflare DNS-01 + real-IP forwarding Some checks failed CI/CD / syntax-check (push) Successful in 44s Details CI/CD / deploy (push) Failing after 46s Details - Switch Traefik ACME to dnsChallenge (provider: cloudflare) - Add .csrx.ru wildcard cert via tls.stores.default.defaultGeneratedCert - Pass CLOUDFLARE_DNS_API_TOKEN to Traefik via env_file: .env - Add Cloudflare IP ranges to forwardedHeaders.trustedIPs (real visitor IPs) - Fix UFW: allow 172.16.0.0/12 on 80/443 so act_runner can reach Forgejo - Add A records: auth.csrx.ru, status.csrx.ru, csrx.ru root → 87.249.49.32 Result: one .csrx.ru cert covers all subdomains, auto-renewed by Traefik. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 04:47:46 +07:00
jack	f183fe485f	revert: switch back to HTTP-01 until Cloudflare NS propagation Some checks failed CI/CD / syntax-check (push) Successful in 44s Details CI/CD / deploy (push) Failing after 39s Details DNS-01 + wildcard cert requires Cloudflare to be authoritative NS. Until propagation completes, use httpChallenge on port 80. Plan after Cloudflare NS is active: 1. Switch back to dnsChallenge in traefik.yml.j2 2. Re-enable tls.stores.default.defaultGeneratedCert in routes.yml.j2 3. Clear acme.json → Traefik issues *.csrx.ru wildcard cert Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 04:18:21 +07:00
jack	0496e9ab61	feat: wildcard TLS certificate .csrx.ru via Cloudflare DNS-01 Some checks failed CI/CD / syntax-check (push) Successful in 43s Details CI/CD / deploy (push) Failing after 48s Details Add tls.stores.default.defaultGeneratedCert in dynamic config: - Traefik requests one .csrx.ru + csrx.ru SAN cert via DNS-01 - All existing and future subdomains use this single cert - No per-service cert issuance wait when adding new services - Cert auto-renewed by Traefik ~30 days before expiry Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 04:13:42 +07:00
jack	fccbd1a45a	feat: Cloudflare DNS-01 ACME + Docker hardening + sysctl Some checks failed CI/CD / syntax-check (push) Successful in 42s Details CI/CD / deploy (push) Failing after 52s Details Cloudflare DNS-01 ACME: - Switch Traefik cert resolver from httpChallenge to dnsChallenge using Cloudflare provider (resolvers: 1.1.1.1, 1.0.0.1) - Add CLOUDFLARE_DNS_API_TOKEN env to Traefik container - Add CF_ZONE_ID + cloudflare_dns_api_token to all/main.yml - Store API token in Ansible Vault Docker daemon hardening: - Add log-driver: json-file with max-size 10m / max-file 3 (prevents disk fill from unbounded container logs) - Add live-restore: true (containers survive Docker daemon restart) Kernel hardening (sysctl): - New roles/base/tasks/sysctl.yml via ansible.posix.sysctl - IP spoofing protection (rp_filter) - Disable ICMP redirects and broadcast pings - SYN flood protection (syncookies, backlog) - Disable IPv6 (not used) - Restrict kernel pointers and dmesg to root - Disable SysRq, suid core dumps Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 04:06:46 +07:00
jack	e935c897c6	feat: Cloudflare integration — real IP forwarding + firewall lockdown Some checks failed CI/CD / syntax-check (push) Successful in 58s Details CI/CD / deploy (push) Failing after 43s Details Traefik traefik.yml.j2: - Add forwardedHeaders.trustedIPs with all Cloudflare CIDR ranges on both web and websecure entrypoints so rate limiting and CrowdSec see real visitor IPs, not Cloudflare proxy IPs firewall.yml: - Replace open HTTP/HTTPS rules with per-CIDR allow rules scoped to Cloudflare IP ranges only - Direct access to ports 80/443 bypassing Cloudflare is now blocked Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 04:02:06 +07:00
jack	1f03022086	fix: correct invalid PromQL in ContainerHighMemory alert rule Some checks failed CI/CD / syntax-check (push) Successful in 53s Details CI/CD / deploy (push) Failing after 57s Details Cannot use comparison operators inside label matchers {}. Move the > 0 filter outside braces as a scalar filter on the denominator — idiomatic Prometheus way to exclude unlimited containers. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 03:59:56 +07:00
jack	a344998405	feat: add uptime-kuma pull, logrotate deploy task, logrotate package Some checks failed CI/CD / syntax-check (push) Successful in 41s Details CI/CD / deploy (push) Failing after 39s Details - Add uptime_kuma_image to image pull loop in services/tasks/main.yml - Add logrotate deploy task to services/tasks/configs.yml - Add logrotate package to base_packages Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 03:54:24 +07:00
jack	aa9706bbc4	feat: comprehensive security hardening Some checks failed CI/CD / syntax-check (push) Successful in 43s Details CI/CD / deploy (push) Failing after 59s Details Traefik: - Enable access logs → /var/log/traefik/access.log (needed for CrowdSec) - Add global security headers middleware: HSTS, X-Frame-Options, CSP, nosniff, XSS filter, referrer policy, permissions policy - Add rate limiting: default 100/s, API 30/s, admin 10/s (strict) - Add Authelia ForwardAuth middleware for SSO integration CrowdSec (new service): - Analyzes Traefik access logs + auth.log in real time - Community IP reputation blocklist (crowdsecurity/traefik + http-cve) - Firewall bouncer: bans malicious IPs at kernel level (iptables) Authelia (new service, auth.csrx.ru): - 2FA/SSO portal with TOTP (Google Authenticator) - Protects: traefik.csrx.ru, sync.csrx.ru, /god-mode/ in Plane - Session: 12h expiry, 30m inactivity, Redis backend - argon2id password hashing Container security: - Add security_opt: no-new-privileges to traefik, vaultwarden, forgejo, grafana, authelia CI/CD security: - Remove hardcoded server IP 87.249.49.32 from workflow - Use SSH_KNOWN_HOSTS secret instead of ssh-keyscan (prevents MITM) - Added SSH_KNOWN_HOSTS secret to Forgejo Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 03:44:54 +07:00
jack	6ebd237894	feat: major infrastructure improvements Some checks failed CI/CD / deploy (push) Has been cancelled Details CI/CD / syntax-check (push) Successful in 1m7s Details Reliability: - Add swap role (2GB, swappiness=10, idempotent via /etc/fstab) - Add mem_limit to plane-worker (512m) and plane-beat (256m) - Add health checks to all services (traefik, vaultwarden, forgejo, plane-*, syncthing, prometheus, grafana, loki) Code quality: - Remove Traefik Docker labels (file provider used, labels were dead code) - Add comment explaining file provider architecture Observability: - Add AlertManager with Telegram notifications - Add Prometheus alert rules: CPU, RAM, disk, swap, container health - Add Loki + Promtail for centralized log aggregation - Add Loki datasource to Grafana - Enable Traefik /ping endpoint for health checks Backups: - Add backup role: pg_dump for forgejo + plane DBs, tar for vaultwarden and forgejo data - 7-day retention, daily cron at 03:00 - Backup script at /usr/local/bin/backup-services Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 03:28:16 +07:00
jack	972a76db4c	feat: add monitoring stack (Prometheus + Grafana + cAdvisor + Node Exporter) All checks were successful CI/CD / syntax-check (push) Successful in 3m0s Details CI/CD / deploy (push) Successful in 6m51s Details - Adds monitoring Docker network (internal) - Prometheus scrapes node-exporter (host metrics) and cAdvisor (containers) with 30-day retention - Grafana exposed at dashboard.csrx.ru with pre-provisioned datasource and two dashboards: Node Exporter Full (1860) and cAdvisor (14282) - Vault secret: vault_grafana_admin_password Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 03:05:34 +07:00
jack	efbbc3cac5	fix: add plane-admin, plane-space and configure instance URLs Some checks failed CI/CD / syntax-check (push) Successful in 2m31s Details CI/CD / deploy (push) Has been cancelled Details New Plane stable requires 3 frontend services: - plane-admin (nginx:80) for /god-mode/ routes - plane-space (node:3000) for /spaces/ routes - plane-web (nginx:80) for all other routes Also add APP/ADMIN/SPACE_BASE_URL env vars to plane-api so the setup wizard knows where to redirect. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 02:14:34 +07:00
jack	66c03ffc04	fix: update plane backend for new stable image requirements All checks were successful CI/CD / syntax-check (push) Successful in 2m49s Details CI/CD / deploy (push) Successful in 8m54s Details makeplane/plane-backend:stable now requires: - AMQP_URL: Celery broker URL (defaults to amqp://localhost, broken) → set to redis://plane-redis:6379/ to reuse existing Redis - GUNICORN_WORKERS: must be set explicitly (empty string causes crash) → set to 2 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 01:32:11 +07:00
jack	679d3ed010	fix: update plane-web for nginx-based stable image All checks were successful CI/CD / syntax-check (push) Successful in 2m41s Details CI/CD / deploy (push) Successful in 11m24s Details makeplane/plane-frontend:stable now uses nginx (not Next.js/node). Remove `command: node web/server.js` override and update Traefik port from 3000 to 80. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-22 00:44:00 +07:00
jack	6a2c38b4bf	Fix act_runner: use public Forgejo URL for job container access Some checks failed CI/CD / syntax-check (push) Failing after 48s Details CI/CD / deploy (push) Has been skipped Details Job containers run on runner-jobs network (internet only), so they can't reach forgejo:3000 (backend-only). Use public https://git.csrx.ru so both runner and job containers can reach Forgejo. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-21 22:53:25 +07:00
jack	6580e42f53	Fix CI workflow: remove container directive, use runner image directly Some checks failed CI/CD / syntax-check (push) Failing after 2m13s Details CI/CD / deploy (push) Has been skipped Details - Remove container: python:3.12-slim (lacked Node.js for actions/checkout) - Use runner's ubuntu-latest image which has Node.js + Python pre-installed - Fix deploy job if condition (remove ${{ }} wrapper) - Enable debug logging in act_runner config Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-21 22:34:56 +07:00
jack	1d2ba7f7ea	Fix act_runner network name to use Docker Compose prefix Some checks failed CI/CD / syntax-check (push) Failing after 2s Details CI/CD / deploy (push) Has been skipped Details Docker Compose prefixes project name to network names: runner-jobs → services_runner-jobs Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-21 21:54:14 +07:00
jack	d2d5f12d5a	Add Forgejo Actions CI/CD with act_runner Some checks failed CI/CD / syntax-check (push) Failing after 12s Details CI/CD / deploy (push) Has been skipped Details - Add gitea/act_runner:0.3.0 to docker-compose stack on runner-jobs network - Add act_runner config template and directory provisioning - Add FORGEJO_RUNNER_TOKEN to env template - Add CI deploy SSH public key to authorized_keys via base role - Create .forgejo/workflows/deploy.yml: syntax-check on PR, deploy on push to master - Add .claude/launch.json with ansible-playbook configurations Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-21 21:28:15 +07:00
jack	652737239d	Add Forgejo SSH port 2222 and open in UFW Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-20 19:43:22 +07:00
jack	a1b97f3e4b	Initial commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-20 19:39:26 +07:00

23 commits