jack
fccbd1a45a
Cloudflare DNS-01 ACME: - Switch Traefik cert resolver from httpChallenge to dnsChallenge using Cloudflare provider (resolvers: 1.1.1.1, 1.0.0.1) - Add CLOUDFLARE_DNS_API_TOKEN env to Traefik container - Add CF_ZONE_ID + cloudflare_dns_api_token to all/main.yml - Store API token in Ansible Vault Docker daemon hardening: - Add log-driver: json-file with max-size 10m / max-file 3 (prevents disk fill from unbounded container logs) - Add live-restore: true (containers survive Docker daemon restart) Kernel hardening (sysctl): - New roles/base/tasks/sysctl.yml via ansible.posix.sysctl - IP spoofing protection (rp_filter) - Disable ICMP redirects and broadcast pings - SYN flood protection (syncookies, backlog) - Disable IPv6 (not used) - Restrict kernel pointers and dmesg to root - Disable SysRq, suid core dumps Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
44 lines
2.1 KiB
YAML
44 lines
2.1 KiB
YAML
---
|
|
# Non-secret variables
|
|
domain_base: "csrx.ru"
|
|
|
|
# Derived domains
|
|
domain_vault: "vault.{{ domain_base }}"
|
|
domain_git: "git.{{ domain_base }}"
|
|
domain_plane: "plane.{{ domain_base }}"
|
|
domain_sync: "sync.{{ domain_base }}"
|
|
domain_traefik: "traefik.{{ domain_base }}"
|
|
domain_dashboard: "dashboard.{{ domain_base }}"
|
|
domain_auth: "auth.{{ domain_base }}"
|
|
domain_status: "status.{{ domain_base }}"
|
|
|
|
# Service paths
|
|
services_root: /opt/services
|
|
deploy_user: deploy
|
|
deploy_group: deploy
|
|
|
|
# Secrets (from vault)
|
|
acme_email: "{{ vault_acme_email }}"
|
|
vaultwarden_admin_token: "{{ vault_vaultwarden_admin_token }}"
|
|
forgejo_db_password: "{{ vault_forgejo_db_password }}"
|
|
plane_db_password: "{{ vault_plane_db_password }}"
|
|
plane_secret_key: "{{ vault_plane_secret_key }}"
|
|
plane_minio_password: "{{ vault_plane_minio_password }}"
|
|
traefik_dashboard_htpasswd: "{{ vault_traefik_dashboard_htpasswd }}"
|
|
syncthing_basic_auth_htpasswd: "{{ vault_syncthing_basic_auth_htpasswd }}"
|
|
forgejo_runner_token: "{{ vault_forgejo_runner_token }}"
|
|
grafana_admin_password: "{{ vault_grafana_admin_password }}"
|
|
alertmanager_telegram_token: "{{ vault_alertmanager_telegram_token }}"
|
|
alertmanager_telegram_chat_id: "{{ vault_alertmanager_telegram_chat_id }}"
|
|
authelia_jwt_secret: "{{ vault_authelia_jwt_secret }}"
|
|
authelia_session_secret: "{{ vault_authelia_session_secret }}"
|
|
authelia_storage_key: "{{ vault_authelia_storage_key }}"
|
|
authelia_admin_password_hash: "{{ vault_authelia_admin_password_hash }}"
|
|
crowdsec_bouncer_key: "{{ vault_crowdsec_bouncer_key }}"
|
|
s3_access_key: "{{ vault_s3_access_key }}"
|
|
s3_secret_key: "{{ vault_s3_secret_key }}"
|
|
cloudflare_dns_api_token: "{{ vault_cloudflare_dns_api_token }}"
|
|
cloudflare_zone_id: "0935215d596a24a10866a81409ed8332"
|
|
|
|
# CI/CD deploy key (public key — not a secret)
|
|
ci_deploy_pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHdr9mRSSUqt7Ym4wA5RpVyz76wEXSOtVfh2/yCSMIbg ci-deploy@forgejo-runner"
|