jack
aa9706bbc4
Traefik: - Enable access logs → /var/log/traefik/access.log (needed for CrowdSec) - Add global security headers middleware: HSTS, X-Frame-Options, CSP, nosniff, XSS filter, referrer policy, permissions policy - Add rate limiting: default 100/s, API 30/s, admin 10/s (strict) - Add Authelia ForwardAuth middleware for SSO integration CrowdSec (new service): - Analyzes Traefik access logs + auth.log in real time - Community IP reputation blocklist (crowdsecurity/traefik + http-cve) - Firewall bouncer: bans malicious IPs at kernel level (iptables) Authelia (new service, auth.csrx.ru): - 2FA/SSO portal with TOTP (Google Authenticator) - Protects: traefik.csrx.ru, sync.csrx.ru, /god-mode/ in Plane - Session: 12h expiry, 30m inactivity, Redis backend - argon2id password hashing Container security: - Add security_opt: no-new-privileges to traefik, vaultwarden, forgejo, grafana, authelia CI/CD security: - Remove hardcoded server IP 87.249.49.32 from workflow - Use SSH_KNOWN_HOSTS secret instead of ssh-keyscan (prevents MITM) - Added SSH_KNOWN_HOSTS secret to Forgejo Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
18 lines
762 B
Django/Jinja
18 lines
762 B
Django/Jinja
# Generated by Ansible — do not edit manually
|
|
VAULTWARDEN_ADMIN_TOKEN={{ vaultwarden_admin_token }}
|
|
FORGEJO_DB_PASSWORD={{ forgejo_db_password }}
|
|
PLANE_DB_PASSWORD={{ plane_db_password }}
|
|
PLANE_SECRET_KEY={{ plane_secret_key }}
|
|
PLANE_MINIO_PASSWORD={{ plane_minio_password }}
|
|
DOMAIN_BASE={{ domain_base }}
|
|
DOMAIN_VAULT={{ domain_vault }}
|
|
DOMAIN_GIT={{ domain_git }}
|
|
DOMAIN_PLANE={{ domain_plane }}
|
|
DOMAIN_SYNC={{ domain_sync }}
|
|
DOMAIN_TRAEFIK={{ domain_traefik }}
|
|
FORGEJO_RUNNER_TOKEN={{ forgejo_runner_token }}
|
|
GRAFANA_ADMIN_PASSWORD={{ grafana_admin_password }}
|
|
AUTHELIA_JWT_SECRET={{ authelia_jwt_secret }}
|
|
AUTHELIA_SESSION_SECRET={{ authelia_session_secret }}
|
|
AUTHELIA_STORAGE_KEY={{ authelia_storage_key }}
|
|
CROWDSEC_BOUNCER_KEY={{ crowdsec_bouncer_key }}
|