security fixes

playbooks/inspircd/inspircd.conf.j2

@@ -21,7 +21,7 @@
       ipaddr="127.0.0.1"
       port="7000"
       sendpass="{{ inspircd_sendpass }}"
-      recvpass="nr6fqRa4P6XhSHZt">
+      recvpass="{{ inspircd_recvpass }}">
 <uline server="services.secretbee.buzz" silent="yes">
 
 <sslprofile name="Clients"
@@ -32,7 +32,7 @@
 
 <gnutls onrehash="yes">
 
-<power diepass="KX65OcVZmEY1Ai9J" restartpass="L3yYbEdT9ik9jg4l">
+<power diepass="{{ inspircd_diepass }}" restartpass="{{ inspircd_restartpass }}">
 
 <connect allow="*"
          timeout="60"
@@ -46,7 +46,7 @@
          modes="+x">
 
 <cloak mode="full"
-       key="QKZABZzXCWDtteeLFP1t36Er5iy7Qj"
+       key="{{ inspircd_cloak_key }}"
        prefix="Cloak-"
        suffix=".Net"
        ignorecase="yes">

playbooks/inspircd/inspircd.yml

@@ -9,6 +9,13 @@
               61613831323831353761376337616635336339363830326536383632306139363831643636626566
               3131623431393438640a356166663965626535383032383232313064363732336164613236393430
               34343536363838626333626439336662303965643337393563396366393831626339
+    inspircd_recvpass: !vault |
+              $ANSIBLE_VAULT;1.1;AES256
+              64653933323335313263613063393164393339613432376437613834366133323138323262343738
+              3332323139366163636365343066653539626664373164310a383033376139346331313734356535
+              39656164313364333237323230363761623735313938643265656131346436303235396631363631
+              3035303865353466660a393537303739396534393133353261393130303636396434383139643163
+              32656532613339623837323939383336653732363266323439633839653832623762
     inspircd_root_oper_password: !vault |
               $ANSIBLE_VAULT;1.1;AES256
               30343162623465633134623862326134636233633237613864363862316463653733383939636136
@@ -23,6 +30,28 @@
               37346330363231623130353432333134313963653365326633383461613834643634303566303230
               3032326237653034350a333934623834656666333234616364663537383166626566653039393661
               62336462613030313532333566363164336262376635633131313133386531333962
+    inspircd_diepass: !vault |
+              $ANSIBLE_VAULT;1.1;AES256
+              62623565646331343664343863656466363234323834323666363436313865366666363130623866
+              6661383938323661313636393533356333653361303065640a363135383130653265336230346234
+              64616233313132363235646633643436626337313236633766343462383865616662353030383333
+              3339343635306465630a383738306261383761316631383738633730333030393635303863383633
+              31663438383735303438616531666531323233663235653832323731663336626162
+    inspircd_restartpass: !vault |
+              $ANSIBLE_VAULT;1.1;AES256
+              63356162323139303537353538303661376338316264306630326637393930343738343432343265
+              3136306233343930393833373034323966386530613666310a623364646439346538663235363138
+              65663139623436346535396535376162356163303639373935643335666339353838363161643965
+              6639383631303163610a663033373733396631643435363734616430393238383764363066396333
+              32306639333331313437376262636164326135343433663937646232316434386164
+    inspircd_cloak_key: !vault |
+              $ANSIBLE_VAULT;1.1;AES256
+              34393037316433666339356265663363653636313761343633626465633362396265303562303530
+              6565326437356631376438363062326130316632396662610a663465313736623031326236313662
+              66623039383632333539303536356463346638623234616239383336313065626336633632363438
+              3931386263396531360a386338643637386633353565356264303938383334383934316438353931
+              39393033643231353263313236643061393337653864633566393965656438636432
+
   tasks:
     - name: Install podman
       ansible.builtin.apt:

playbooks/letsencrypt/letsencrypt.yml

@@ -42,8 +42,9 @@
     - name: Change permission on live
       ansible.builtin.file:
         path: /etc/letsencrypt/live/
-        mode: '0755'
-    - name: Change permission on live
+        mode: '0711'
+
+    - name: Change permission on archive
       ansible.builtin.file:
         path: /etc/letsencrypt/archive/
-        mode: '0755'
+        mode: '0711'

playbooks/monitoring/docker-compose.yml.j2

@@ -8,7 +8,7 @@ services:
     container_name: prometheus
     restart: unless-stopped
     ports:
-      - '9090:9090'
+      - '127.0.0.1:9090:9090'
     volumes:
       - prometheus-data:/prometheus
       - /opt/monitoring/prometheus.yml:/etc/prometheus/prometheus.yml

playbooks/nginx/sites-enabled/git.secretbee.buzz

@@ -1,4 +1,3 @@
-## Redirect all HTTP traffic to HTTPS
 server {
   listen          80;
   server_name     git.secretbee.buzz;
@@ -12,7 +11,9 @@ server {
   listen         443 ssl;
   server_name    git.secretbee.buzz;
 
-  add_header Strict-Transport-Security "max-age=31536000" always; 
+  limit_req zone=mylimit burst=20;
+
+  add_header Strict-Transport-Security "max-age=31536000, includeSubDomains" always;
 
   ssl_certificate     /etc/letsencrypt/live/git.secretbee.buzz/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/git.secretbee.buzz/privkey.pem;

playbooks/nginx/sites-enabled/grafana.secretbee.buzz

@@ -17,10 +17,12 @@ server {
 }
 
 server {
-  listen 443;
+  listen         443 ssl;
   server_name    grafana.secretbee.buzz;
 
-  add_header Strict-Transport-Security "max-age=31536000" always; 
+  limit_req zone=mylimit burst=20;
+
+  add_header Strict-Transport-Security "max-age=31536000, includeSubDomains" always;
 
   ssl_certificate     /etc/letsencrypt/live/grafana.secretbee.buzz/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/grafana.secretbee.buzz/privkey.pem;

playbooks/nginx/sites-enabled/lounge.secretbee.buzz

@@ -1,4 +1,3 @@
-## Redirect all HTTP traffic to HTTPS
 server {
   listen          80;
   server_name     lounge.secretbee.buzz;
@@ -12,7 +11,9 @@ server {
   listen         443 ssl;
   server_name    lounge.secretbee.buzz;
 
-  add_header Strict-Transport-Security "max-age=31536000" always; 
+  limit_req zone=mylimit burst=20;
+
+  add_header Strict-Transport-Security "max-age=31536000, includeSubDomains" always;
 
   ssl_certificate     /etc/letsencrypt/live/lounge.secretbee.buzz/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/lounge.secretbee.buzz/privkey.pem;

playbooks/nginx/sites-enabled/secretbee.buzz

@@ -18,7 +18,7 @@ server {
 
   root /var/www;
 
-  add_header Strict-Transport-Security "max-age=31536000" always; 
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 
   ssl_certificate     /etc/letsencrypt/live/secretbee.buzz/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/secretbee.buzz/privkey.pem;

playbooks/postfix/main.cf

@@ -18,7 +18,7 @@ mynetworks = 127.0.0.0/8
 relayhost =
 
 # --- TLS (outbound) ---
-smtp_tls_security_level = may
+smtp_tls_security_level = enforce
 smtp_tls_loglevel = 1
 smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
 

playbooks/thelounge/config.js

@@ -14,7 +14,7 @@ module.exports = {
     //   channels and scrollbacks are available when they come back.
     //
     // This value is set to `false` by default.
-    public: true,
+    public: false,
     // ### `host`
     //
     // IP address or hostname for the web server to listen to. For example, set it