jack/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/roles/services
History
jack fccbd1a45a
Some checks failed
CI/CD / syntax-check (push) Successful in 42s
Details
CI/CD / deploy (push) Failing after 52s
Details
feat: Cloudflare DNS-01 ACME + Docker hardening + sysctl 
Cloudflare DNS-01 ACME:
- Switch Traefik cert resolver from httpChallenge to dnsChallenge
  using Cloudflare provider (resolvers: 1.1.1.1, 1.0.0.1)
- Add CLOUDFLARE_DNS_API_TOKEN env to Traefik container
- Add CF_ZONE_ID + cloudflare_dns_api_token to all/main.yml
- Store API token in Ansible Vault

Docker daemon hardening:
- Add log-driver: json-file with max-size 10m / max-file 3
  (prevents disk fill from unbounded container logs)
- Add live-restore: true (containers survive Docker daemon restart)

Kernel hardening (sysctl):
- New roles/base/tasks/sysctl.yml via ansible.posix.sysctl
- IP spoofing protection (rp_filter)
- Disable ICMP redirects and broadcast pings
- SYN flood protection (syncookies, backlog)
- Disable IPv6 (not used)
- Restrict kernel pointers and dmesg to root
- Disable SysRq, suid core dumps

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-22 04:06:46 +07:00
..
defaults feat: Cloudflare DNS-01 ACME + Docker hardening + sysctl 2026-03-22 04:06:46 +07:00
files/grafana/dashboards feat: add monitoring stack (Prometheus + Grafana + cAdvisor + Node Exporter) 2026-03-22 03:05:34 +07:00
handlers Initial commit 2026-03-20 19:39:26 +07:00
tasks feat: add uptime-kuma pull, logrotate deploy task, logrotate package 2026-03-22 03:54:24 +07:00
templates feat: Cloudflare DNS-01 ACME + Docker hardening + sysctl 2026-03-22 04:06:46 +07:00