diff options
| author | Luke Hoersten <[email protected]> | 2026-04-05 21:19:55 -0500 |
|---|---|---|
| committer | Luke Hoersten <[email protected]> | 2026-04-05 21:19:55 -0500 |
| commit | 06b69bd8def0aae07d3fb565d19193be1a8dfe20 (patch) | |
| tree | 1bf679924a56775f356bc1c378f629264edd1ca8 | |
| parent | 0b402a7a0a773dfa40e5549235941cd1217617d3 (diff) | |
Harden role security: file permissions, service binding, no_log, strict defaults
- Add no_log: true to tasks that handle passwords/secrets
- Tighten config file permissions (0644 -> 0600/0640 where appropriate)
- Bind pleroma to 127.0.0.1 instead of 0.0.0.0
- Tighten ergo unix socket mode 0777 -> 0770
- Remove weak defaults; roles now fail explicitly if required vars not set
| -rw-r--r-- | dendrite/server/tasks/main.yaml | 1 | ||||
| -rw-r--r-- | ergo/tasks/main.yaml | 3 | ||||
| -rw-r--r-- | ergo/templates/config.yaml.j2 | 2 | ||||
| -rw-r--r-- | miniflux/defaults/main.yaml | 2 | ||||
| -rw-r--r-- | miniflux/tasks/main.yaml | 6 | ||||
| -rw-r--r-- | nostr/relayer/defaults/main.yaml | 2 | ||||
| -rw-r--r-- | pleroma/otp/tasks/instance.yaml | 1 | ||||
| -rw-r--r-- | pleroma/otp/templates/config.exs.j2 | 2 | ||||
| -rw-r--r-- | prosody/tasks/main.yaml | 1 | ||||
| -rw-r--r-- | rpi-base/tasks/main.yaml | 1 | ||||
| -rw-r--r-- | transmission/defaults/main.yaml | 2 |
11 files changed, 15 insertions, 8 deletions
diff --git a/dendrite/server/tasks/main.yaml b/dendrite/server/tasks/main.yaml index b2395d0..d81c11e 100644 --- a/dendrite/server/tasks/main.yaml +++ b/dendrite/server/tasks/main.yaml @@ -87,6 +87,7 @@ become_user: "postgres" command: "psql -f /tmp/setup_db_dendrite_{{dendrite_instance}}.psql" changed_when: false + no_log: true - name: configure dendrite become: yes diff --git a/ergo/tasks/main.yaml b/ergo/tasks/main.yaml index 5998713..72f0285 100644 --- a/ergo/tasks/main.yaml +++ b/ergo/tasks/main.yaml @@ -43,8 +43,9 @@ dest: "/etc/ergo/config.yaml" owner: "ergo" group: "ergo" - mode: "0644" + mode: "0640" notify: reload ergo + no_log: true - name: copy motd file become: yes diff --git a/ergo/templates/config.yaml.j2 b/ergo/templates/config.yaml.j2 index c2e22a8..edc0bd0 100644 --- a/ergo/templates/config.yaml.j2 +++ b/ergo/templates/config.yaml.j2 @@ -77,7 +77,7 @@ server: # the default is 0775 or 0755, which prevents other users/groups from connecting # to the socket. With 0777, it behaves like a normal TCP socket # where anyone can connect. - unix-bind-mode: 0777 + unix-bind-mode: 0770 # configure the behavior of Tor listeners (ignored if you didn't enable any): tor-listeners: diff --git a/miniflux/defaults/main.yaml b/miniflux/defaults/main.yaml index 5061613..17788ef 100644 --- a/miniflux/defaults/main.yaml +++ b/miniflux/defaults/main.yaml @@ -1,7 +1,7 @@ --- miniflux_port: "8555" -miniflux_admin_pass: "admin" +# miniflux_admin_pass: — required, set in host_vars miniflux_arch: "arm64" # https://github.com/miniflux/miniflux/releases miniflux_version: "2.2.18" diff --git a/miniflux/tasks/main.yaml b/miniflux/tasks/main.yaml index 2838824..ffa6d0f 100644 --- a/miniflux/tasks/main.yaml +++ b/miniflux/tasks/main.yaml @@ -11,7 +11,7 @@ dest: "/usr/local/bin/miniflux" owner: "root" group: "root" - mode: "0755" + mode: "0600" - name: configure miniflux become: yes @@ -20,8 +20,9 @@ dest: "/etc/miniflux.conf" owner: "root" group: "root" - mode: "0755" + mode: "0600" notify: restart miniflux service + no_log: true - name: install miniflux schema file become: yes @@ -37,6 +38,7 @@ become_user: "postgres" command: "psql -f /tmp/setup_db_miniflux.psql" changed_when: false + no_log: true - name: install systemd service become: yes diff --git a/nostr/relayer/defaults/main.yaml b/nostr/relayer/defaults/main.yaml index 7d30aa6..c89e0e2 100644 --- a/nostr/relayer/defaults/main.yaml +++ b/nostr/relayer/defaults/main.yaml @@ -6,4 +6,4 @@ relayer_pubkey: "" relayer_port: "7447" relayer_db: "relayer" relayer_db_user: "relayer" -relayer_db_pass: "relayer" +# relayer_db_pass: — required, set in host_vars diff --git a/pleroma/otp/tasks/instance.yaml b/pleroma/otp/tasks/instance.yaml index 9bb67ac..d8983e4 100644 --- a/pleroma/otp/tasks/instance.yaml +++ b/pleroma/otp/tasks/instance.yaml @@ -38,6 +38,7 @@ become_user: "{{pleroma_db_superuser}}" command: "psql -f /tmp/setup_db_{{pleroma_instance}}.psql" changed_when: false + no_log: true - include_tasks: soapbox.yaml when: pleroma_soapbox diff --git a/pleroma/otp/templates/config.exs.j2 b/pleroma/otp/templates/config.exs.j2 index 05187cf..0db1828 100644 --- a/pleroma/otp/templates/config.exs.j2 +++ b/pleroma/otp/templates/config.exs.j2 @@ -2,7 +2,7 @@ import Config config :pleroma, Pleroma.Web.Endpoint, url: [host: "{{pleroma_link_host}}", scheme: "{{pleroma_link_scheme}}", port: {{pleroma_link_port}}], - http: [port: {{pleroma_port}}, ip: {0, 0, 0, 0}], + http: [port: {{pleroma_port}}, ip: {127, 0, 0, 1}], secret_key_base: "{{pleroma_secret_key}}", secure_cookie_flag: true diff --git a/prosody/tasks/main.yaml b/prosody/tasks/main.yaml index 752e4b0..c515a24 100644 --- a/prosody/tasks/main.yaml +++ b/prosody/tasks/main.yaml @@ -47,6 +47,7 @@ become_user: "postgres" command: "psql -f /tmp/setup_db_{{prosody_db}}.psql" changed_when: false + no_log: true - name: enable prosody site become: yes diff --git a/rpi-base/tasks/main.yaml b/rpi-base/tasks/main.yaml index c2701bf..9be6aad 100644 --- a/rpi-base/tasks/main.yaml +++ b/rpi-base/tasks/main.yaml @@ -69,6 +69,7 @@ groups: "sudo,users" shell: "/bin/bash" append: yes + no_log: true - name: authorize ssh keys become: yes diff --git a/transmission/defaults/main.yaml b/transmission/defaults/main.yaml index 5ffae18..b616a3c 100644 --- a/transmission/defaults/main.yaml +++ b/transmission/defaults/main.yaml @@ -2,6 +2,6 @@ transmission_config: "/etc/transmission-daemon/settings.json" transmission_port: "9091" -transmission_passwd: "transmission" +# transmission_passwd: — required, set in host_vars transmission_download_dir: "/var/lib/transmission-daemon/downloads" transmission_user: "debian-transmission" |