fixes/security

2026-05-31 09:35:54 +02:00
parent 85cf6f5533
commit 11b13cd326
17 changed files with 31 additions and 49 deletions
@@ -1,4 +1,4 @@
- name: Inspircd
+- name: Autodns
  hosts: beepi
  become: true
  vars:
@@ -19,7 +19,7 @@
        owner: fail2forward
        group: fail2forward
        state: directory
-        mode: '0655'
+        mode: '0700'

    - name: Create authorized_keys
      ansible.builtin.copy:
@@ -18,6 +18,7 @@
        name: fail2forward
        generate_ssh_key: true
        ssh_key_bits: 2048
+        ssh_key_type: ed25519
        ssh_key_file: .ssh/id_rsa
      register: ssh_public_key

@@ -5,7 +5,7 @@ maxretry = 5
 banaction = ufw
 bantime.increment = true
 bantime.multipliers = 1 5 30 60 300 720 1440 2880
-ignoreip = 81.217.198.106
+ignoreip = 81.217.198.106 # home ip

 action = %(action_)s
         forward
@@ -1,4 +1,4 @@
- name: Inspircd
+- name: Gitea
  hosts: beepi
  become: true
  vars:
@@ -26,18 +26,19 @@
        state: directory
        mode: '0755'

+    - name: Compose down
+      changed_when: true
+      failed_when: false
+      ansible.builtin.command:
+        cmd: podman-compose down
+        chdir: /opt/beeserver/gitea
+
    - name: Copy compose
      ansible.builtin.template:
        src: docker-compose.yml.j2
        dest: /opt/beeserver/gitea/docker-compose.yml
        mode: '0644'

-    - name: Compose down
-      changed_when: true
-      ansible.builtin.command:
-        cmd: podman-compose down
-        chdir: /opt/beeserver/gitea
-
    - name: Compose up
      changed_when: true
      ansible.builtin.command:
@@ -1,32 +0,0 @@
-#!/bin/sh
-set -e
-
-# The location your renewal tool places your certificates.
-CERT_DIR="/etc/letsencrypt/live/irc.secretbee.buzz"
-
-# The location of the InspIRCd config directory.
-INSPIRCD_CONFIG_DIR="/etc/inspircd"
-
-# The location of the InspIRCd pid file.
-INSPIRCD_PID_FILE="/var/run/inspircd/inspircd.pid"
-
-# The user:group that owns the inspircd config directory on the host.
-INSPIRCD_OWNER="root:root"
-
-if [ -e ${CERT_DIR} -a -e ${INSPIRCD_CONFIG_DIR} ]
-then
-    cp "${CERT_DIR}/fullchain.pem" "${INSPIRCD_CONFIG_DIR}/cert.pem"
-    cp "${CERT_DIR}/privkey.pem" "${INSPIRCD_CONFIG_DIR}/key.pem"
-    chown ${INSPIRCD_OWNER} "${INSPIRCD_CONFIG_DIR}/cert.pem" "${INSPIRCD_CONFIG_DIR}/key.pem"
-
-    if podman container exists inspircd 2>/dev/null
-    then
-        podman kill --signal USR1 inspircd
-    elif [ -r ${INSPIRCD_PID_FILE} ]
-    then
-        kill -USR1 $(cat ${INSPIRCD_PID_FILE})
-    elif [ -d /lib/systemd ] && systemctl --quiet is-active inspircd
-    then
-        systemctl kill --signal USR1 inspircd
-    fi
-fi
@@ -18,18 +18,6 @@
        - matrix.secretbee.buzz
        - gallery.secretbee.buzz

-    - name: Add post hook script
-      ansible.builtin.copy:
-        src: irc-post-hook.sh
-        dest: /opt/beeserver/irc-post-hook.sh
-        owner: root
-        group: root
-        mode: '0755'
-
-    - name: Renew for post hook
-      changed_when: true
-      ansible.builtin.command: certbot renew --cert-name irc.secretbee.buzz --deploy-hook /opt/beeserver/irc-post-hook.sh --force-renewal
-
    - name: Change permission on live
      ansible.builtin.file:
        path: /etc/letsencrypt/live/
@@ -1,7 +0,0 @@
-#!/bin/sh
-set -e
-
-if podman container exists nginx 2>/dev/null
-then
-    podman kill --signal HUP nginx
-fi
@@ -20,7 +20,7 @@ services:
    container_name: grafana
    restart: always
    ports:
-      - '4000:4000'
+      - '127.0.0.1:4000:4000'
    volumes:
      - grafana-storage:/var/lib/grafana
    environment:
@@ -48,6 +48,7 @@

    - name: Compose down
      changed_when: true
+      failed_when: false
      ansible.builtin.command:
        cmd: podman-compose down
        chdir: /opt/beeserver/monitoring
@@ -101,9 +102,6 @@
        username: "{{ geoip_username }}"
        password: "{{ geoip_license }}"
        mode: '0644'
-      tags:
-        - never
-        - geoip

    - name: Get geoip tar file
      ansible.builtin.find:
@@ -11,6 +11,8 @@ server {
    listen         443 ssl;
    server_name gallery.secretbee.buzz;

+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
    ssl_certificate     /etc/letsencrypt/live/gallery.secretbee.buzz/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/gallery.secretbee.buzz/privkey.pem;
    ssl_protocols       TLSv1.2 TLSv1.3;
@@ -13,7 +13,7 @@ server {

  limit_req zone=mylimit burst=20;

-  add_header Strict-Transport-Security "max-age=31536000, includeSubDomains" always;
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

  ssl_certificate     /etc/letsencrypt/live/git.secretbee.buzz/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/git.secretbee.buzz/privkey.pem;
@@ -22,7 +22,7 @@ server {

  limit_req zone=mylimit burst=20;

-  add_header Strict-Transport-Security "max-age=31536000, includeSubDomains" always;
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

  ssl_certificate     /etc/letsencrypt/live/grafana.secretbee.buzz/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/grafana.secretbee.buzz/privkey.pem;
@@ -13,7 +13,7 @@ server {

  limit_req zone=mylimit burst=20;

-  add_header Strict-Transport-Security "max-age=31536000, includeSubDomains" always;
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

  ssl_certificate     /etc/letsencrypt/live/lounge.secretbee.buzz/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/lounge.secretbee.buzz/privkey.pem;
@@ -18,6 +18,7 @@

    - name: Down wg0
      changed_when: true
+      failed_when: false
      ansible.builtin.command: wg-quick down wg0

    - name: Copy wg0.conf
@@ -18,6 +18,7 @@

    - name: Down wg0
      changed_when: true
+      failed_when: false
      ansible.builtin.command: wg-quick down wg0

    - name: Copy wg0.conf