jack
aa9706bbc4
Traefik: - Enable access logs → /var/log/traefik/access.log (needed for CrowdSec) - Add global security headers middleware: HSTS, X-Frame-Options, CSP, nosniff, XSS filter, referrer policy, permissions policy - Add rate limiting: default 100/s, API 30/s, admin 10/s (strict) - Add Authelia ForwardAuth middleware for SSO integration CrowdSec (new service): - Analyzes Traefik access logs + auth.log in real time - Community IP reputation blocklist (crowdsecurity/traefik + http-cve) - Firewall bouncer: bans malicious IPs at kernel level (iptables) Authelia (new service, auth.csrx.ru): - 2FA/SSO portal with TOTP (Google Authenticator) - Protects: traefik.csrx.ru, sync.csrx.ru, /god-mode/ in Plane - Session: 12h expiry, 30m inactivity, Redis backend - argon2id password hashing Container security: - Add security_opt: no-new-privileges to traefik, vaultwarden, forgejo, grafana, authelia CI/CD security: - Remove hardcoded server IP 87.249.49.32 from workflow - Use SSH_KNOWN_HOSTS secret instead of ssh-keyscan (prevents MITM) - Added SSH_KNOWN_HOSTS secret to Forgejo Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
12 lines
452 B
Django/Jinja
12 lines
452 B
Django/Jinja
# Generated by Ansible — do not edit manually
|
|
# Authelia users database
|
|
# To update password hash: docker exec authelia authelia crypto hash generate argon2 --password 'yourpassword'
|
|
# To set up TOTP: visit https://{{ domain_auth }} and login — QR code will appear on first use
|
|
|
|
users:
|
|
{{ authelia_admin_user }}:
|
|
displayname: "Admin"
|
|
password: "{{ authelia_admin_password_hash }}"
|
|
email: "{{ acme_email }}"
|
|
groups:
|
|
- admins
|