firewall.yml:
- Allow 172.16.0.0/12 and 10.0.0.0/8 on ports 80/443 so act_runner
job containers can reach git.csrx.ru (Forgejo via Traefik)
- Without this, Cloudflare-only rules broke CI/CD pipeline
unattended_upgrades.yml (new):
- Install unattended-upgrades + apt-listchanges
- Configure auto-apply of security patches only (not all updates)
- Auto-clean every 7 days, remove unused deps
- No auto-reboot (manual control over kernel reboots)
base/tasks/main.yml:
- Add unattended_upgrades.yml to task sequence
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Traefik traefik.yml.j2:
- Add forwardedHeaders.trustedIPs with all Cloudflare CIDR ranges
on both web and websecure entrypoints so rate limiting and
CrowdSec see real visitor IPs, not Cloudflare proxy IPs
firewall.yml:
- Replace open HTTP/HTTPS rules with per-CIDR allow rules
scoped to Cloudflare IP ranges only
- Direct access to ports 80/443 bypassing Cloudflare is now blocked
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
