From 66149543a9cba4dddf017c494171f44f6a9bc52f Mon Sep 17 00:00:00 2001
From: bee <secretbumblebee@proton.me>
Date: Mon, 27 Apr 2026 17:03:44 +0200
Subject: [PATCH] security fixes

---
 playbooks/inspircd/inspircd.conf.j2           |  6 ++--
 playbooks/inspircd/inspircd.yml               | 29 +++++++++++++++++++
 playbooks/letsencrypt/letsencrypt.yml         |  7 +++--
 playbooks/monitoring/docker-compose.yml.j2    |  2 +-
 .../nginx/sites-enabled/git.secretbee.buzz    |  5 ++--
 .../sites-enabled/grafana.secretbee.buzz      |  6 ++--
 .../nginx/sites-enabled/lounge.secretbee.buzz |  5 ++--
 playbooks/nginx/sites-enabled/secretbee.buzz  |  2 +-
 playbooks/postfix/main.cf                     |  2 +-
 playbooks/thelounge/config.js                 |  2 +-
 10 files changed, 50 insertions(+), 16 deletions(-)

diff --git a/playbooks/inspircd/inspircd.conf.j2 b/playbooks/inspircd/inspircd.conf.j2
index ff3b26b..3b39e4b 100644
--- a/playbooks/inspircd/inspircd.conf.j2
+++ b/playbooks/inspircd/inspircd.conf.j2
@@ -21,7 +21,7 @@
       ipaddr="127.0.0.1"
       port="7000"
       sendpass="{{ inspircd_sendpass }}"
-      recvpass="nr6fqRa4P6XhSHZt">
+      recvpass="{{ inspircd_recvpass }}">
 <uline server="services.secretbee.buzz" silent="yes">
 
 <sslprofile name="Clients"
@@ -32,7 +32,7 @@
 
 <gnutls onrehash="yes">
 
-<power diepass="KX65OcVZmEY1Ai9J" restartpass="L3yYbEdT9ik9jg4l">
+<power diepass="{{ inspircd_diepass }}" restartpass="{{ inspircd_restartpass }}">
 
 <connect allow="*"
          timeout="60"
@@ -46,7 +46,7 @@
          modes="+x">
 
 <cloak mode="full"
-       key="QKZABZzXCWDtteeLFP1t36Er5iy7Qj"
+       key="{{ inspircd_cloak_key }}"
        prefix="Cloak-"
        suffix=".Net"
        ignorecase="yes">
diff --git a/playbooks/inspircd/inspircd.yml b/playbooks/inspircd/inspircd.yml
index 85d7f00..d40447a 100644
--- a/playbooks/inspircd/inspircd.yml
+++ b/playbooks/inspircd/inspircd.yml
@@ -9,6 +9,13 @@
               61613831323831353761376337616635336339363830326536383632306139363831643636626566
               3131623431393438640a356166663965626535383032383232313064363732336164613236393430
               34343536363838626333626439336662303965643337393563396366393831626339
+    inspircd_recvpass: !vault |
+              $ANSIBLE_VAULT;1.1;AES256
+              64653933323335313263613063393164393339613432376437613834366133323138323262343738
+              3332323139366163636365343066653539626664373164310a383033376139346331313734356535
+              39656164313364333237323230363761623735313938643265656131346436303235396631363631
+              3035303865353466660a393537303739396534393133353261393130303636396434383139643163
+              32656532613339623837323939383336653732363266323439633839653832623762
     inspircd_root_oper_password: !vault |
               $ANSIBLE_VAULT;1.1;AES256
               30343162623465633134623862326134636233633237613864363862316463653733383939636136
@@ -23,6 +30,28 @@
               37346330363231623130353432333134313963653365326633383461613834643634303566303230
               3032326237653034350a333934623834656666333234616364663537383166626566653039393661
               62336462613030313532333566363164336262376635633131313133386531333962
+    inspircd_diepass: !vault |
+              $ANSIBLE_VAULT;1.1;AES256
+              62623565646331343664343863656466363234323834323666363436313865366666363130623866
+              6661383938323661313636393533356333653361303065640a363135383130653265336230346234
+              64616233313132363235646633643436626337313236633766343462383865616662353030383333
+              3339343635306465630a383738306261383761316631383738633730333030393635303863383633
+              31663438383735303438616531666531323233663235653832323731663336626162
+    inspircd_restartpass: !vault |
+              $ANSIBLE_VAULT;1.1;AES256
+              63356162323139303537353538303661376338316264306630326637393930343738343432343265
+              3136306233343930393833373034323966386530613666310a623364646439346538663235363138
+              65663139623436346535396535376162356163303639373935643335666339353838363161643965
+              6639383631303163610a663033373733396631643435363734616430393238383764363066396333
+              32306639333331313437376262636164326135343433663937646232316434386164
+    inspircd_cloak_key: !vault |
+              $ANSIBLE_VAULT;1.1;AES256
+              34393037316433666339356265663363653636313761343633626465633362396265303562303530
+              6565326437356631376438363062326130316632396662610a663465313736623031326236313662
+              66623039383632333539303536356463346638623234616239383336313065626336633632363438
+              3931386263396531360a386338643637386633353565356264303938383334383934316438353931
+              39393033643231353263313236643061393337653864633566393965656438636432
+
   tasks:
     - name: Install podman
       ansible.builtin.apt:
diff --git a/playbooks/letsencrypt/letsencrypt.yml b/playbooks/letsencrypt/letsencrypt.yml
index 1033523..534116e 100644
--- a/playbooks/letsencrypt/letsencrypt.yml
+++ b/playbooks/letsencrypt/letsencrypt.yml
@@ -42,8 +42,9 @@
     - name: Change permission on live
       ansible.builtin.file:
         path: /etc/letsencrypt/live/
-        mode: '0755'
-    - name: Change permission on live
+        mode: '0711'
+
+    - name: Change permission on archive
       ansible.builtin.file:
         path: /etc/letsencrypt/archive/
-        mode: '0755'
+        mode: '0711'
diff --git a/playbooks/monitoring/docker-compose.yml.j2 b/playbooks/monitoring/docker-compose.yml.j2
index cc5318f..911002e 100644
--- a/playbooks/monitoring/docker-compose.yml.j2
+++ b/playbooks/monitoring/docker-compose.yml.j2
@@ -8,7 +8,7 @@ services:
     container_name: prometheus
     restart: unless-stopped
     ports:
-      - '9090:9090'
+      - '127.0.0.1:9090:9090'
     volumes:
       - prometheus-data:/prometheus
       - /opt/monitoring/prometheus.yml:/etc/prometheus/prometheus.yml
diff --git a/playbooks/nginx/sites-enabled/git.secretbee.buzz b/playbooks/nginx/sites-enabled/git.secretbee.buzz
index 5c3cdd5..4e13453 100644
--- a/playbooks/nginx/sites-enabled/git.secretbee.buzz
+++ b/playbooks/nginx/sites-enabled/git.secretbee.buzz
@@ -1,4 +1,3 @@
-## Redirect all HTTP traffic to HTTPS
 server {
   listen          80;
   server_name     git.secretbee.buzz;
@@ -12,7 +11,9 @@ server {
   listen         443 ssl;
   server_name    git.secretbee.buzz;
 
-  add_header Strict-Transport-Security "max-age=31536000" always; 
+  limit_req zone=mylimit burst=20;
+
+  add_header Strict-Transport-Security "max-age=31536000, includeSubDomains" always;
 
   ssl_certificate     /etc/letsencrypt/live/git.secretbee.buzz/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/git.secretbee.buzz/privkey.pem;
diff --git a/playbooks/nginx/sites-enabled/grafana.secretbee.buzz b/playbooks/nginx/sites-enabled/grafana.secretbee.buzz
index ced0093..c456044 100644
--- a/playbooks/nginx/sites-enabled/grafana.secretbee.buzz
+++ b/playbooks/nginx/sites-enabled/grafana.secretbee.buzz
@@ -17,10 +17,12 @@ server {
 }
 
 server {
-  listen 443;
+  listen         443 ssl;
   server_name    grafana.secretbee.buzz;
 
-  add_header Strict-Transport-Security "max-age=31536000" always; 
+  limit_req zone=mylimit burst=20;
+
+  add_header Strict-Transport-Security "max-age=31536000, includeSubDomains" always;
 
   ssl_certificate     /etc/letsencrypt/live/grafana.secretbee.buzz/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/grafana.secretbee.buzz/privkey.pem;
diff --git a/playbooks/nginx/sites-enabled/lounge.secretbee.buzz b/playbooks/nginx/sites-enabled/lounge.secretbee.buzz
index b977fa4..499c804 100644
--- a/playbooks/nginx/sites-enabled/lounge.secretbee.buzz
+++ b/playbooks/nginx/sites-enabled/lounge.secretbee.buzz
@@ -1,4 +1,3 @@
-## Redirect all HTTP traffic to HTTPS
 server {
   listen          80;
   server_name     lounge.secretbee.buzz;
@@ -12,7 +11,9 @@ server {
   listen         443 ssl;
   server_name    lounge.secretbee.buzz;
 
-  add_header Strict-Transport-Security "max-age=31536000" always; 
+  limit_req zone=mylimit burst=20;
+
+  add_header Strict-Transport-Security "max-age=31536000, includeSubDomains" always;
 
   ssl_certificate     /etc/letsencrypt/live/lounge.secretbee.buzz/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/lounge.secretbee.buzz/privkey.pem;
diff --git a/playbooks/nginx/sites-enabled/secretbee.buzz b/playbooks/nginx/sites-enabled/secretbee.buzz
index 508c447..93e520e 100644
--- a/playbooks/nginx/sites-enabled/secretbee.buzz
+++ b/playbooks/nginx/sites-enabled/secretbee.buzz
@@ -18,7 +18,7 @@ server {
 
   root /var/www;
 
-  add_header Strict-Transport-Security "max-age=31536000" always; 
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 
   ssl_certificate     /etc/letsencrypt/live/secretbee.buzz/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/secretbee.buzz/privkey.pem;
diff --git a/playbooks/postfix/main.cf b/playbooks/postfix/main.cf
index 882b7df..c6fd386 100644
--- a/playbooks/postfix/main.cf
+++ b/playbooks/postfix/main.cf
@@ -18,7 +18,7 @@ mynetworks = 127.0.0.0/8
 relayhost =
 
 # --- TLS (outbound) ---
-smtp_tls_security_level = may
+smtp_tls_security_level = enforce
 smtp_tls_loglevel = 1
 smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
 
diff --git a/playbooks/thelounge/config.js b/playbooks/thelounge/config.js
index 361c8ef..32758df 100644
--- a/playbooks/thelounge/config.js
+++ b/playbooks/thelounge/config.js
@@ -14,7 +14,7 @@ module.exports = {
     //   channels and scrollbacks are available when they come back.
     //
     // This value is set to `false` by default.
-    public: true,
+    public: false,
     // ### `host`
     //
     // IP address or hostname for the web server to listen to. For example, set it