jack/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/roles/services/defaults/main.yml
jack fccbd1a45a
Some checks failed
CI/CD / syntax-check (push) Successful in 42s
Details
CI/CD / deploy (push) Failing after 52s
Details
feat: Cloudflare DNS-01 ACME + Docker hardening + sysctl 
Cloudflare DNS-01 ACME:
- Switch Traefik cert resolver from httpChallenge to dnsChallenge
  using Cloudflare provider (resolvers: 1.1.1.1, 1.0.0.1)
- Add CLOUDFLARE_DNS_API_TOKEN env to Traefik container
- Add CF_ZONE_ID + cloudflare_dns_api_token to all/main.yml
- Store API token in Ansible Vault

Docker daemon hardening:
- Add log-driver: json-file with max-size 10m / max-file 3
  (prevents disk fill from unbounded container logs)
- Add live-restore: true (containers survive Docker daemon restart)

Kernel hardening (sysctl):
- New roles/base/tasks/sysctl.yml via ansible.posix.sysctl
- IP spoofing protection (rp_filter)
- Disable ICMP redirects and broadcast pings
- SYN flood protection (syncookies, backlog)
- Disable IPv6 (not used)
- Restrict kernel pointers and dmesg to root
- Disable SysRq, suid core dumps

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-22 04:06:46 +07:00

35 lines
3 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
services_root: /opt/services
# Image versions
# IMPORTANT: pin each image to a specific version tag.
# Check Docker Hub for the latest stable release before updating.
traefik_image: "traefik:v3.3" # https://hub.docker.com/_/traefik/tags
vaultwarden_image: "vaultwarden/server:1.32.7" # https://hub.docker.com/r/vaultwarden/server/tags
forgejo_image: "codeberg.org/forgejo/forgejo:9"
forgejo_db_image: "postgres:16-alpine"
plane_frontend_image: "makeplane/plane-frontend:stable" # https://hub.docker.com/r/makeplane/plane-frontend/tags
plane_admin_image: "makeplane/plane-admin:stable" # https://hub.docker.com/r/makeplane/plane-admin/tags
plane_space_image: "makeplane/plane-space:stable" # https://hub.docker.com/r/makeplane/plane-space/tags
plane_backend_image: "makeplane/plane-backend:stable" # https://hub.docker.com/r/makeplane/plane-backend/tags
plane_db_image: "postgres:16-alpine"
plane_redis_image: "redis:7-alpine"
# ВАЖНО: MinIO прекратил публикацию образов на Docker Hub с октября 2025.
# Последний стабильный тег на Docker Hub: RELEASE.2025-04-22T22-12-26Z
# Рекомендуется перейти на alpine/minio или собирать из исходников.
plane_minio_image: "minio/minio:RELEASE.2025-04-22T22-12-26Z" # https://hub.docker.com/r/minio/minio/tags
syncthing_image: "syncthing/syncthing:1.27" # https://hub.docker.com/r/syncthing/syncthing/tags
act_runner_image: "gitea/act_runner:0.3.0" # https://hub.docker.com/r/gitea/act_runner/tags
prometheus_image: "prom/prometheus:v3.4.0" # https://hub.docker.com/r/prom/prometheus/tags
node_exporter_image: "prom/node-exporter:v1.9.1" # https://hub.docker.com/r/prom/node-exporter/tags
cadvisor_image: "gcr.io/cadvisor/cadvisor:v0.52.1" # https://github.com/google/cadvisor/releases
grafana_image: "grafana/grafana:11.6.1" # https://hub.docker.com/r/grafana/grafana/tags
alertmanager_image: "prom/alertmanager:v0.28.1" # https://hub.docker.com/r/prom/alertmanager/tags
loki_image: "grafana/loki:3.4.3" # https://hub.docker.com/r/grafana/loki/tags
promtail_image: "grafana/promtail:3.4.3" # https://hub.docker.com/r/grafana/promtail/tags
crowdsec_image: "crowdsecurity/crowdsec:v1.6.8" # https://hub.docker.com/r/crowdsecurity/crowdsec/tags
crowdsec_bouncer_image: "crowdsecurity/cs-firewall-bouncer:v0.0.31" # https://hub.docker.com/r/crowdsecurity/cs-firewall-bouncer/tags
authelia_image: "authelia/authelia:4.38" # https://hub.docker.com/r/authelia/authelia/tags
redis_image: "redis:7-alpine" # shared with plane-redis
authelia_admin_user: "admin"
uptime_kuma_image: "louislam/uptime-kuma:1" # https://hub.docker.com/r/louislam/uptime-kuma/tags
Reference in a new issue View git blame Copy permalink