jack/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/inventory/group_vars/all/main.yml
jack aa9706bbc4
Some checks failed
CI/CD / syntax-check (push) Successful in 43s
Details
CI/CD / deploy (push) Failing after 59s
Details
feat: comprehensive security hardening 
Traefik:
- Enable access logs → /var/log/traefik/access.log (needed for CrowdSec)
- Add global security headers middleware: HSTS, X-Frame-Options, CSP,
  nosniff, XSS filter, referrer policy, permissions policy
- Add rate limiting: default 100/s, API 30/s, admin 10/s (strict)
- Add Authelia ForwardAuth middleware for SSO integration

CrowdSec (new service):
- Analyzes Traefik access logs + auth.log in real time
- Community IP reputation blocklist (crowdsecurity/traefik + http-cve)
- Firewall bouncer: bans malicious IPs at kernel level (iptables)

Authelia (new service, auth.csrx.ru):
- 2FA/SSO portal with TOTP (Google Authenticator)
- Protects: traefik.csrx.ru, sync.csrx.ru, /god-mode/ in Plane
- Session: 12h expiry, 30m inactivity, Redis backend
- argon2id password hashing

Container security:
- Add security_opt: no-new-privileges to traefik, vaultwarden,
  forgejo, grafana, authelia

CI/CD security:
- Remove hardcoded server IP 87.249.49.32 from workflow
- Use SSH_KNOWN_HOSTS secret instead of ssh-keyscan (prevents MITM)
- Added SSH_KNOWN_HOSTS secret to Forgejo

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-22 03:44:54 +07:00

39 lines
1.8 KiB
YAML
Raw Blame History

---
# Non-secret variables
domain_base: "csrx.ru"
# Derived domains
domain_vault: "vault.{{ domain_base }}"
domain_git: "git.{{ domain_base }}"
domain_plane: "plane.{{ domain_base }}"
domain_sync: "sync.{{ domain_base }}"
domain_traefik: "traefik.{{ domain_base }}"
domain_dashboard: "dashboard.{{ domain_base }}"
domain_auth: "auth.{{ domain_base }}"
# Service paths
services_root: /opt/services
deploy_user: deploy
deploy_group: deploy
# Secrets (from vault)
acme_email: "{{ vault_acme_email }}"
vaultwarden_admin_token: "{{ vault_vaultwarden_admin_token }}"
forgejo_db_password: "{{ vault_forgejo_db_password }}"
plane_db_password: "{{ vault_plane_db_password }}"
plane_secret_key: "{{ vault_plane_secret_key }}"
plane_minio_password: "{{ vault_plane_minio_password }}"
traefik_dashboard_htpasswd: "{{ vault_traefik_dashboard_htpasswd }}"
syncthing_basic_auth_htpasswd: "{{ vault_syncthing_basic_auth_htpasswd }}"
forgejo_runner_token: "{{ vault_forgejo_runner_token }}"
grafana_admin_password: "{{ vault_grafana_admin_password }}"
alertmanager_telegram_token: "{{ vault_alertmanager_telegram_token }}"
alertmanager_telegram_chat_id: "{{ vault_alertmanager_telegram_chat_id }}"
authelia_jwt_secret: "{{ vault_authelia_jwt_secret }}"
authelia_session_secret: "{{ vault_authelia_session_secret }}"
authelia_storage_key: "{{ vault_authelia_storage_key }}"
authelia_admin_password_hash: "{{ vault_authelia_admin_password_hash }}"
crowdsec_bouncer_key: "{{ vault_crowdsec_bouncer_key }}"
# CI/CD deploy key (public key — not a secret)
ci_deploy_pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHdr9mRSSUqt7Ym4wA5RpVyz76wEXSOtVfh2/yCSMIbg ci-deploy@forgejo-runner"
Reference in a new issue View git blame Copy permalink