jack
aa9706bbc4
Traefik: - Enable access logs → /var/log/traefik/access.log (needed for CrowdSec) - Add global security headers middleware: HSTS, X-Frame-Options, CSP, nosniff, XSS filter, referrer policy, permissions policy - Add rate limiting: default 100/s, API 30/s, admin 10/s (strict) - Add Authelia ForwardAuth middleware for SSO integration CrowdSec (new service): - Analyzes Traefik access logs + auth.log in real time - Community IP reputation blocklist (crowdsecurity/traefik + http-cve) - Firewall bouncer: bans malicious IPs at kernel level (iptables) Authelia (new service, auth.csrx.ru): - 2FA/SSO portal with TOTP (Google Authenticator) - Protects: traefik.csrx.ru, sync.csrx.ru, /god-mode/ in Plane - Session: 12h expiry, 30m inactivity, Redis backend - argon2id password hashing Container security: - Add security_opt: no-new-privileges to traefik, vaultwarden, forgejo, grafana, authelia CI/CD security: - Remove hardcoded server IP 87.249.49.32 from workflow - Use SSH_KNOWN_HOSTS secret instead of ssh-keyscan (prevents MITM) - Added SSH_KNOWN_HOSTS secret to Forgejo Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
18 lines
295 B
Django/Jinja
18 lines
295 B
Django/Jinja
# Generated by Ansible — do not edit manually
|
|
# CrowdSec acquisition config: what log sources to watch
|
|
|
|
---
|
|
filenames:
|
|
- /var/log/traefik/access.log
|
|
labels:
|
|
type: traefik
|
|
---
|
|
filenames:
|
|
- /var/log/auth.log
|
|
labels:
|
|
type: syslog
|
|
---
|
|
filenames:
|
|
- /var/log/syslog
|
|
labels:
|
|
type: syslog
|