jack
fccbd1a45a
Cloudflare DNS-01 ACME: - Switch Traefik cert resolver from httpChallenge to dnsChallenge using Cloudflare provider (resolvers: 1.1.1.1, 1.0.0.1) - Add CLOUDFLARE_DNS_API_TOKEN env to Traefik container - Add CF_ZONE_ID + cloudflare_dns_api_token to all/main.yml - Store API token in Ansible Vault Docker daemon hardening: - Add log-driver: json-file with max-size 10m / max-file 3 (prevents disk fill from unbounded container logs) - Add live-restore: true (containers survive Docker daemon restart) Kernel hardening (sysctl): - New roles/base/tasks/sysctl.yml via ansible.posix.sysctl - IP spoofing protection (rp_filter) - Disable ICMP redirects and broadcast pings - SYN flood protection (syncookies, backlog) - Disable IPv6 (not used) - Restrict kernel pointers and dmesg to root - Disable SysRq, suid core dumps Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
21 lines
889 B
Django/Jinja
21 lines
889 B
Django/Jinja
# Generated by Ansible — do not edit manually
|
|
VAULTWARDEN_ADMIN_TOKEN={{ vaultwarden_admin_token }}
|
|
FORGEJO_DB_PASSWORD={{ forgejo_db_password }}
|
|
PLANE_DB_PASSWORD={{ plane_db_password }}
|
|
PLANE_SECRET_KEY={{ plane_secret_key }}
|
|
PLANE_MINIO_PASSWORD={{ plane_minio_password }}
|
|
DOMAIN_BASE={{ domain_base }}
|
|
DOMAIN_VAULT={{ domain_vault }}
|
|
DOMAIN_GIT={{ domain_git }}
|
|
DOMAIN_PLANE={{ domain_plane }}
|
|
DOMAIN_SYNC={{ domain_sync }}
|
|
DOMAIN_TRAEFIK={{ domain_traefik }}
|
|
FORGEJO_RUNNER_TOKEN={{ forgejo_runner_token }}
|
|
GRAFANA_ADMIN_PASSWORD={{ grafana_admin_password }}
|
|
AUTHELIA_JWT_SECRET={{ authelia_jwt_secret }}
|
|
AUTHELIA_SESSION_SECRET={{ authelia_session_secret }}
|
|
AUTHELIA_STORAGE_KEY={{ authelia_storage_key }}
|
|
CROWDSEC_BOUNCER_KEY={{ crowdsec_bouncer_key }}
|
|
# Cloudflare DNS-01 ACME challenge
|
|
CLOUDFLARE_DNS_API_TOKEN={{ cloudflare_dns_api_token }}
|
|
CF_ZONE_ID={{ cloudflare_zone_id }}
|