bee/beepi
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fixes/security

Browse Source
This commit is contained in:
bee
2026-05-31 09:35:54 +02:00
parent 85cf6f5533
commit 11b13cd326
17 changed files with 31 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.vscode/tasks.json
Vendored
+10 -20
View File
@@ -150,26 +150,16 @@
"panel": "dedicated" "panel": "dedicated"
} }
}, },
{ // {
"label": "Build & Push: postfix", // "label": "Build & Push: <template>",
"type": "shell", // "type": "shell",
"command": "make push-postfix", // "command": "make push-<template>",
"group": "build", // "group": "build",
"presentation": { // "presentation": {
"reveal": "always", // "reveal": "always",
"panel": "dedicated" // "panel": "dedicated"
} // }
}, // }
{
"label": "Build & Push: opendkim",
"type": "shell",
"command": "make push-opendkim",
"group": "build",
"presentation": {
"reveal": "always",
"panel": "dedicated"
}
}
], ],
"inputs": [ "inputs": [
{ {
playbooks/letsencrypt/irc-post-hook.sh → archive/inspircd/irc-post-hook.sh
View File
playbooks/letsencrypt/nginx-post-hook.sh → archive/inspircd/nginx-post-hook.sh
View File
playbooks/autodns/autodns.yml
+1 -1
View File
@@ -1,4 +1,4 @@
- name: Inspircd - name: Autodns
hosts: beepi hosts: beepi
become: true become: true
vars: vars:
playbooks/fail2ban-ingress/fail2ban-ingress.yml
+1 -1
View File
@@ -19,7 +19,7 @@
owner: fail2forward owner: fail2forward
group: fail2forward group: fail2forward
state: directory state: directory
mode: '0655' mode: '0700'
- name: Create authorized_keys - name: Create authorized_keys
ansible.builtin.copy: ansible.builtin.copy:
playbooks/fail2ban/fail2ban.yml
+1
View File
@@ -18,6 +18,7 @@
name: fail2forward name: fail2forward
generate_ssh_key: true generate_ssh_key: true
ssh_key_bits: 2048 ssh_key_bits: 2048
ssh_key_type: ed25519
ssh_key_file: .ssh/id_rsa ssh_key_file: .ssh/id_rsa
register: ssh_public_key register: ssh_public_key
playbooks/fail2ban/jail.local.j2
+1 -1
View File
@@ -5,7 +5,7 @@ maxretry = 5
banaction = ufw banaction = ufw
bantime.increment = true bantime.increment = true
bantime.multipliers = 1 5 30 60 300 720 1440 2880 bantime.multipliers = 1 5 30 60 300 720 1440 2880
ignoreip = 81.217.198.106 ignoreip = 81.217.198.106 # home ip
action = %(action_)s action = %(action_)s
forward forward
playbooks/gitea/gitea.yml
+8 -7
View File
@@ -1,4 +1,4 @@
- name: Inspircd - name: Gitea
hosts: beepi hosts: beepi
become: true become: true
vars: vars:
@@ -26,18 +26,19 @@
state: directory state: directory
mode: '0755' mode: '0755'
- name: Compose down
changed_when: true
failed_when: false
ansible.builtin.command:
cmd: podman-compose down
chdir: /opt/beeserver/gitea
- name: Copy compose - name: Copy compose
ansible.builtin.template: ansible.builtin.template:
src: docker-compose.yml.j2 src: docker-compose.yml.j2
dest: /opt/beeserver/gitea/docker-compose.yml dest: /opt/beeserver/gitea/docker-compose.yml
mode: '0644' mode: '0644'
- name: Compose down
changed_when: true
ansible.builtin.command:
cmd: podman-compose down
chdir: /opt/beeserver/gitea
- name: Compose up - name: Compose up
changed_when: true changed_when: true
ansible.builtin.command: ansible.builtin.command:
playbooks/letsencrypt/letsencrypt.yml
-12
View File
@@ -18,18 +18,6 @@
- matrix.secretbee.buzz - matrix.secretbee.buzz
- gallery.secretbee.buzz - gallery.secretbee.buzz
- name: Add post hook script
ansible.builtin.copy:
src: irc-post-hook.sh
dest: /opt/beeserver/irc-post-hook.sh
owner: root
group: root
mode: '0755'
- name: Renew for post hook
changed_when: true
ansible.builtin.command: certbot renew --cert-name irc.secretbee.buzz --deploy-hook /opt/beeserver/irc-post-hook.sh --force-renewal
- name: Change permission on live - name: Change permission on live
ansible.builtin.file: ansible.builtin.file:
path: /etc/letsencrypt/live/ path: /etc/letsencrypt/live/
playbooks/monitoring/docker-compose.yml.j2
+1 -1
View File
@@ -20,7 +20,7 @@ services:
container_name: grafana container_name: grafana
restart: always restart: always
ports: ports:
- '4000:4000' - '127.0.0.1:4000:4000'
volumes: volumes:
- grafana-storage:/var/lib/grafana - grafana-storage:/var/lib/grafana
environment: environment:
playbooks/monitoring/monitoring.yml
+1 -3
View File
@@ -48,6 +48,7 @@
- name: Compose down - name: Compose down
changed_when: true changed_when: true
failed_when: false
ansible.builtin.command: ansible.builtin.command:
cmd: podman-compose down cmd: podman-compose down
chdir: /opt/beeserver/monitoring chdir: /opt/beeserver/monitoring
@@ -101,9 +102,6 @@
username: "{{ geoip_username }}" username: "{{ geoip_username }}"
password: "{{ geoip_license }}" password: "{{ geoip_license }}"
mode: '0644' mode: '0644'
tags:
- never
- geoip
- name: Get geoip tar file - name: Get geoip tar file
ansible.builtin.find: ansible.builtin.find:
playbooks/nginx/sites-enabled/gallery.secretbee.buzz
+2
View File
@@ -11,6 +11,8 @@ server {
listen 443 ssl; listen 443 ssl;
server_name gallery.secretbee.buzz; server_name gallery.secretbee.buzz;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
ssl_certificate /etc/letsencrypt/live/gallery.secretbee.buzz/fullchain.pem; ssl_certificate /etc/letsencrypt/live/gallery.secretbee.buzz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/gallery.secretbee.buzz/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/gallery.secretbee.buzz/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
playbooks/nginx/sites-enabled/git.secretbee.buzz
+1 -1
View File
@@ -13,7 +13,7 @@ server {
limit_req zone=mylimit burst=20; limit_req zone=mylimit burst=20;
add_header Strict-Transport-Security "max-age=31536000, includeSubDomains" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
ssl_certificate /etc/letsencrypt/live/git.secretbee.buzz/fullchain.pem; ssl_certificate /etc/letsencrypt/live/git.secretbee.buzz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/git.secretbee.buzz/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/git.secretbee.buzz/privkey.pem;
playbooks/nginx/sites-enabled/grafana.secretbee.buzz
+1 -1
View File
@@ -22,7 +22,7 @@ server {
limit_req zone=mylimit burst=20; limit_req zone=mylimit burst=20;
add_header Strict-Transport-Security "max-age=31536000, includeSubDomains" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
ssl_certificate /etc/letsencrypt/live/grafana.secretbee.buzz/fullchain.pem; ssl_certificate /etc/letsencrypt/live/grafana.secretbee.buzz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/grafana.secretbee.buzz/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/grafana.secretbee.buzz/privkey.pem;
playbooks/nginx/sites-enabled/lounge.secretbee.buzz
+1 -1
View File
@@ -13,7 +13,7 @@ server {
limit_req zone=mylimit burst=20; limit_req zone=mylimit burst=20;
add_header Strict-Transport-Security "max-age=31536000, includeSubDomains" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
ssl_certificate /etc/letsencrypt/live/lounge.secretbee.buzz/fullchain.pem; ssl_certificate /etc/letsencrypt/live/lounge.secretbee.buzz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/lounge.secretbee.buzz/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/lounge.secretbee.buzz/privkey.pem;
playbooks/wireguard-ingress/wireguard-ingress.yml
+1
View File
@@ -18,6 +18,7 @@
- name: Down wg0 - name: Down wg0
changed_when: true changed_when: true
failed_when: false
ansible.builtin.command: wg-quick down wg0 ansible.builtin.command: wg-quick down wg0
- name: Copy wg0.conf - name: Copy wg0.conf
playbooks/wireguard/wireguard.yml
+1
View File
@@ -18,6 +18,7 @@
- name: Down wg0 - name: Down wg0
changed_when: true changed_when: true
failed_when: false
ansible.builtin.command: wg-quick down wg0 ansible.builtin.command: wg-quick down wg0
- name: Copy wg0.conf - name: Copy wg0.conf