security fixes
This commit is contained in:
@@ -21,7 +21,7 @@
|
|||||||
ipaddr="127.0.0.1"
|
ipaddr="127.0.0.1"
|
||||||
port="7000"
|
port="7000"
|
||||||
sendpass="{{ inspircd_sendpass }}"
|
sendpass="{{ inspircd_sendpass }}"
|
||||||
recvpass="nr6fqRa4P6XhSHZt">
|
recvpass="{{ inspircd_recvpass }}">
|
||||||
<uline server="services.secretbee.buzz" silent="yes">
|
<uline server="services.secretbee.buzz" silent="yes">
|
||||||
|
|
||||||
<sslprofile name="Clients"
|
<sslprofile name="Clients"
|
||||||
@@ -32,7 +32,7 @@
|
|||||||
|
|
||||||
<gnutls onrehash="yes">
|
<gnutls onrehash="yes">
|
||||||
|
|
||||||
<power diepass="KX65OcVZmEY1Ai9J" restartpass="L3yYbEdT9ik9jg4l">
|
<power diepass="{{ inspircd_diepass }}" restartpass="{{ inspircd_restartpass }}">
|
||||||
|
|
||||||
<connect allow="*"
|
<connect allow="*"
|
||||||
timeout="60"
|
timeout="60"
|
||||||
@@ -46,7 +46,7 @@
|
|||||||
modes="+x">
|
modes="+x">
|
||||||
|
|
||||||
<cloak mode="full"
|
<cloak mode="full"
|
||||||
key="QKZABZzXCWDtteeLFP1t36Er5iy7Qj"
|
key="{{ inspircd_cloak_key }}"
|
||||||
prefix="Cloak-"
|
prefix="Cloak-"
|
||||||
suffix=".Net"
|
suffix=".Net"
|
||||||
ignorecase="yes">
|
ignorecase="yes">
|
||||||
|
|||||||
@@ -9,6 +9,13 @@
|
|||||||
61613831323831353761376337616635336339363830326536383632306139363831643636626566
|
61613831323831353761376337616635336339363830326536383632306139363831643636626566
|
||||||
3131623431393438640a356166663965626535383032383232313064363732336164613236393430
|
3131623431393438640a356166663965626535383032383232313064363732336164613236393430
|
||||||
34343536363838626333626439336662303965643337393563396366393831626339
|
34343536363838626333626439336662303965643337393563396366393831626339
|
||||||
|
inspircd_recvpass: !vault |
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
64653933323335313263613063393164393339613432376437613834366133323138323262343738
|
||||||
|
3332323139366163636365343066653539626664373164310a383033376139346331313734356535
|
||||||
|
39656164313364333237323230363761623735313938643265656131346436303235396631363631
|
||||||
|
3035303865353466660a393537303739396534393133353261393130303636396434383139643163
|
||||||
|
32656532613339623837323939383336653732363266323439633839653832623762
|
||||||
inspircd_root_oper_password: !vault |
|
inspircd_root_oper_password: !vault |
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
30343162623465633134623862326134636233633237613864363862316463653733383939636136
|
30343162623465633134623862326134636233633237613864363862316463653733383939636136
|
||||||
@@ -23,6 +30,28 @@
|
|||||||
37346330363231623130353432333134313963653365326633383461613834643634303566303230
|
37346330363231623130353432333134313963653365326633383461613834643634303566303230
|
||||||
3032326237653034350a333934623834656666333234616364663537383166626566653039393661
|
3032326237653034350a333934623834656666333234616364663537383166626566653039393661
|
||||||
62336462613030313532333566363164336262376635633131313133386531333962
|
62336462613030313532333566363164336262376635633131313133386531333962
|
||||||
|
inspircd_diepass: !vault |
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
62623565646331343664343863656466363234323834323666363436313865366666363130623866
|
||||||
|
6661383938323661313636393533356333653361303065640a363135383130653265336230346234
|
||||||
|
64616233313132363235646633643436626337313236633766343462383865616662353030383333
|
||||||
|
3339343635306465630a383738306261383761316631383738633730333030393635303863383633
|
||||||
|
31663438383735303438616531666531323233663235653832323731663336626162
|
||||||
|
inspircd_restartpass: !vault |
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
63356162323139303537353538303661376338316264306630326637393930343738343432343265
|
||||||
|
3136306233343930393833373034323966386530613666310a623364646439346538663235363138
|
||||||
|
65663139623436346535396535376162356163303639373935643335666339353838363161643965
|
||||||
|
6639383631303163610a663033373733396631643435363734616430393238383764363066396333
|
||||||
|
32306639333331313437376262636164326135343433663937646232316434386164
|
||||||
|
inspircd_cloak_key: !vault |
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
34393037316433666339356265663363653636313761343633626465633362396265303562303530
|
||||||
|
6565326437356631376438363062326130316632396662610a663465313736623031326236313662
|
||||||
|
66623039383632333539303536356463346638623234616239383336313065626336633632363438
|
||||||
|
3931386263396531360a386338643637386633353565356264303938383334383934316438353931
|
||||||
|
39393033643231353263313236643061393337653864633566393965656438636432
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: Install podman
|
- name: Install podman
|
||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
|
|||||||
@@ -42,8 +42,9 @@
|
|||||||
- name: Change permission on live
|
- name: Change permission on live
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: /etc/letsencrypt/live/
|
path: /etc/letsencrypt/live/
|
||||||
mode: '0755'
|
mode: '0711'
|
||||||
- name: Change permission on live
|
|
||||||
|
- name: Change permission on archive
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: /etc/letsencrypt/archive/
|
path: /etc/letsencrypt/archive/
|
||||||
mode: '0755'
|
mode: '0711'
|
||||||
|
|||||||
@@ -8,7 +8,7 @@ services:
|
|||||||
container_name: prometheus
|
container_name: prometheus
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
ports:
|
ports:
|
||||||
- '9090:9090'
|
- '127.0.0.1:9090:9090'
|
||||||
volumes:
|
volumes:
|
||||||
- prometheus-data:/prometheus
|
- prometheus-data:/prometheus
|
||||||
- /opt/monitoring/prometheus.yml:/etc/prometheus/prometheus.yml
|
- /opt/monitoring/prometheus.yml:/etc/prometheus/prometheus.yml
|
||||||
|
|||||||
@@ -1,4 +1,3 @@
|
|||||||
## Redirect all HTTP traffic to HTTPS
|
|
||||||
server {
|
server {
|
||||||
listen 80;
|
listen 80;
|
||||||
server_name git.secretbee.buzz;
|
server_name git.secretbee.buzz;
|
||||||
@@ -12,7 +11,9 @@ server {
|
|||||||
listen 443 ssl;
|
listen 443 ssl;
|
||||||
server_name git.secretbee.buzz;
|
server_name git.secretbee.buzz;
|
||||||
|
|
||||||
add_header Strict-Transport-Security "max-age=31536000" always;
|
limit_req zone=mylimit burst=20;
|
||||||
|
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000, includeSubDomains" always;
|
||||||
|
|
||||||
ssl_certificate /etc/letsencrypt/live/git.secretbee.buzz/fullchain.pem;
|
ssl_certificate /etc/letsencrypt/live/git.secretbee.buzz/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/git.secretbee.buzz/privkey.pem;
|
ssl_certificate_key /etc/letsencrypt/live/git.secretbee.buzz/privkey.pem;
|
||||||
|
|||||||
@@ -17,10 +17,12 @@ server {
|
|||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 443;
|
listen 443 ssl;
|
||||||
server_name grafana.secretbee.buzz;
|
server_name grafana.secretbee.buzz;
|
||||||
|
|
||||||
add_header Strict-Transport-Security "max-age=31536000" always;
|
limit_req zone=mylimit burst=20;
|
||||||
|
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000, includeSubDomains" always;
|
||||||
|
|
||||||
ssl_certificate /etc/letsencrypt/live/grafana.secretbee.buzz/fullchain.pem;
|
ssl_certificate /etc/letsencrypt/live/grafana.secretbee.buzz/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/grafana.secretbee.buzz/privkey.pem;
|
ssl_certificate_key /etc/letsencrypt/live/grafana.secretbee.buzz/privkey.pem;
|
||||||
|
|||||||
@@ -1,4 +1,3 @@
|
|||||||
## Redirect all HTTP traffic to HTTPS
|
|
||||||
server {
|
server {
|
||||||
listen 80;
|
listen 80;
|
||||||
server_name lounge.secretbee.buzz;
|
server_name lounge.secretbee.buzz;
|
||||||
@@ -12,7 +11,9 @@ server {
|
|||||||
listen 443 ssl;
|
listen 443 ssl;
|
||||||
server_name lounge.secretbee.buzz;
|
server_name lounge.secretbee.buzz;
|
||||||
|
|
||||||
add_header Strict-Transport-Security "max-age=31536000" always;
|
limit_req zone=mylimit burst=20;
|
||||||
|
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000, includeSubDomains" always;
|
||||||
|
|
||||||
ssl_certificate /etc/letsencrypt/live/lounge.secretbee.buzz/fullchain.pem;
|
ssl_certificate /etc/letsencrypt/live/lounge.secretbee.buzz/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/lounge.secretbee.buzz/privkey.pem;
|
ssl_certificate_key /etc/letsencrypt/live/lounge.secretbee.buzz/privkey.pem;
|
||||||
|
|||||||
@@ -18,7 +18,7 @@ server {
|
|||||||
|
|
||||||
root /var/www;
|
root /var/www;
|
||||||
|
|
||||||
add_header Strict-Transport-Security "max-age=31536000" always;
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||||
|
|
||||||
ssl_certificate /etc/letsencrypt/live/secretbee.buzz/fullchain.pem;
|
ssl_certificate /etc/letsencrypt/live/secretbee.buzz/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/secretbee.buzz/privkey.pem;
|
ssl_certificate_key /etc/letsencrypt/live/secretbee.buzz/privkey.pem;
|
||||||
|
|||||||
@@ -18,7 +18,7 @@ mynetworks = 127.0.0.0/8
|
|||||||
relayhost =
|
relayhost =
|
||||||
|
|
||||||
# --- TLS (outbound) ---
|
# --- TLS (outbound) ---
|
||||||
smtp_tls_security_level = may
|
smtp_tls_security_level = enforce
|
||||||
smtp_tls_loglevel = 1
|
smtp_tls_loglevel = 1
|
||||||
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
|
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
|
||||||
|
|
||||||
|
|||||||
@@ -14,7 +14,7 @@ module.exports = {
|
|||||||
// channels and scrollbacks are available when they come back.
|
// channels and scrollbacks are available when they come back.
|
||||||
//
|
//
|
||||||
// This value is set to `false` by default.
|
// This value is set to `false` by default.
|
||||||
public: true,
|
public: false,
|
||||||
// ### `host`
|
// ### `host`
|
||||||
//
|
//
|
||||||
// IP address or hostname for the web server to listen to. For example, set it
|
// IP address or hostname for the web server to listen to. For example, set it
|
||||||
|
|||||||
Reference in New Issue
Block a user