fixes/security
This commit is contained in:
Vendored
+10
-20
@@ -150,26 +150,16 @@
|
||||
"panel": "dedicated"
|
||||
}
|
||||
},
|
||||
{
|
||||
"label": "Build & Push: postfix",
|
||||
"type": "shell",
|
||||
"command": "make push-postfix",
|
||||
"group": "build",
|
||||
"presentation": {
|
||||
"reveal": "always",
|
||||
"panel": "dedicated"
|
||||
}
|
||||
},
|
||||
{
|
||||
"label": "Build & Push: opendkim",
|
||||
"type": "shell",
|
||||
"command": "make push-opendkim",
|
||||
"group": "build",
|
||||
"presentation": {
|
||||
"reveal": "always",
|
||||
"panel": "dedicated"
|
||||
}
|
||||
}
|
||||
// {
|
||||
// "label": "Build & Push: <template>",
|
||||
// "type": "shell",
|
||||
// "command": "make push-<template>",
|
||||
// "group": "build",
|
||||
// "presentation": {
|
||||
// "reveal": "always",
|
||||
// "panel": "dedicated"
|
||||
// }
|
||||
// }
|
||||
],
|
||||
"inputs": [
|
||||
{
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
- name: Inspircd
|
||||
- name: Autodns
|
||||
hosts: beepi
|
||||
become: true
|
||||
vars:
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
owner: fail2forward
|
||||
group: fail2forward
|
||||
state: directory
|
||||
mode: '0655'
|
||||
mode: '0700'
|
||||
|
||||
- name: Create authorized_keys
|
||||
ansible.builtin.copy:
|
||||
|
||||
@@ -18,6 +18,7 @@
|
||||
name: fail2forward
|
||||
generate_ssh_key: true
|
||||
ssh_key_bits: 2048
|
||||
ssh_key_type: ed25519
|
||||
ssh_key_file: .ssh/id_rsa
|
||||
register: ssh_public_key
|
||||
|
||||
|
||||
@@ -5,7 +5,7 @@ maxretry = 5
|
||||
banaction = ufw
|
||||
bantime.increment = true
|
||||
bantime.multipliers = 1 5 30 60 300 720 1440 2880
|
||||
ignoreip = 81.217.198.106
|
||||
ignoreip = 81.217.198.106 # home ip
|
||||
|
||||
action = %(action_)s
|
||||
forward
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
- name: Inspircd
|
||||
- name: Gitea
|
||||
hosts: beepi
|
||||
become: true
|
||||
vars:
|
||||
@@ -26,18 +26,19 @@
|
||||
state: directory
|
||||
mode: '0755'
|
||||
|
||||
- name: Compose down
|
||||
changed_when: true
|
||||
failed_when: false
|
||||
ansible.builtin.command:
|
||||
cmd: podman-compose down
|
||||
chdir: /opt/beeserver/gitea
|
||||
|
||||
- name: Copy compose
|
||||
ansible.builtin.template:
|
||||
src: docker-compose.yml.j2
|
||||
dest: /opt/beeserver/gitea/docker-compose.yml
|
||||
mode: '0644'
|
||||
|
||||
- name: Compose down
|
||||
changed_when: true
|
||||
ansible.builtin.command:
|
||||
cmd: podman-compose down
|
||||
chdir: /opt/beeserver/gitea
|
||||
|
||||
- name: Compose up
|
||||
changed_when: true
|
||||
ansible.builtin.command:
|
||||
|
||||
@@ -18,18 +18,6 @@
|
||||
- matrix.secretbee.buzz
|
||||
- gallery.secretbee.buzz
|
||||
|
||||
- name: Add post hook script
|
||||
ansible.builtin.copy:
|
||||
src: irc-post-hook.sh
|
||||
dest: /opt/beeserver/irc-post-hook.sh
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0755'
|
||||
|
||||
- name: Renew for post hook
|
||||
changed_when: true
|
||||
ansible.builtin.command: certbot renew --cert-name irc.secretbee.buzz --deploy-hook /opt/beeserver/irc-post-hook.sh --force-renewal
|
||||
|
||||
- name: Change permission on live
|
||||
ansible.builtin.file:
|
||||
path: /etc/letsencrypt/live/
|
||||
|
||||
@@ -20,7 +20,7 @@ services:
|
||||
container_name: grafana
|
||||
restart: always
|
||||
ports:
|
||||
- '4000:4000'
|
||||
- '127.0.0.1:4000:4000'
|
||||
volumes:
|
||||
- grafana-storage:/var/lib/grafana
|
||||
environment:
|
||||
|
||||
@@ -48,6 +48,7 @@
|
||||
|
||||
- name: Compose down
|
||||
changed_when: true
|
||||
failed_when: false
|
||||
ansible.builtin.command:
|
||||
cmd: podman-compose down
|
||||
chdir: /opt/beeserver/monitoring
|
||||
@@ -101,9 +102,6 @@
|
||||
username: "{{ geoip_username }}"
|
||||
password: "{{ geoip_license }}"
|
||||
mode: '0644'
|
||||
tags:
|
||||
- never
|
||||
- geoip
|
||||
|
||||
- name: Get geoip tar file
|
||||
ansible.builtin.find:
|
||||
|
||||
@@ -11,6 +11,8 @@ server {
|
||||
listen 443 ssl;
|
||||
server_name gallery.secretbee.buzz;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/gallery.secretbee.buzz/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/gallery.secretbee.buzz/privkey.pem;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
|
||||
@@ -13,7 +13,7 @@ server {
|
||||
|
||||
limit_req zone=mylimit burst=20;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=31536000, includeSubDomains" always;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/git.secretbee.buzz/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/git.secretbee.buzz/privkey.pem;
|
||||
|
||||
@@ -22,7 +22,7 @@ server {
|
||||
|
||||
limit_req zone=mylimit burst=20;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=31536000, includeSubDomains" always;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/grafana.secretbee.buzz/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/grafana.secretbee.buzz/privkey.pem;
|
||||
|
||||
@@ -13,7 +13,7 @@ server {
|
||||
|
||||
limit_req zone=mylimit burst=20;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=31536000, includeSubDomains" always;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/lounge.secretbee.buzz/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/lounge.secretbee.buzz/privkey.pem;
|
||||
|
||||
@@ -18,6 +18,7 @@
|
||||
|
||||
- name: Down wg0
|
||||
changed_when: true
|
||||
failed_when: false
|
||||
ansible.builtin.command: wg-quick down wg0
|
||||
|
||||
- name: Copy wg0.conf
|
||||
|
||||
@@ -18,6 +18,7 @@
|
||||
|
||||
- name: Down wg0
|
||||
changed_when: true
|
||||
failed_when: false
|
||||
ansible.builtin.command: wg-quick down wg0
|
||||
|
||||
- name: Copy wg0.conf
|
||||
|
||||
Reference in New Issue
Block a user