diff options
| author | Luke Hoersten <[email protected]> | 2026-04-05 21:19:55 -0500 |
|---|---|---|
| committer | Luke Hoersten <[email protected]> | 2026-04-05 21:19:55 -0500 |
| commit | 06b69bd8def0aae07d3fb565d19193be1a8dfe20 (patch) | |
| tree | 1bf679924a56775f356bc1c378f629264edd1ca8 /ergo/templates/config.yaml.j2 | |
| parent | 0b402a7a0a773dfa40e5549235941cd1217617d3 (diff) | |
Harden role security: file permissions, service binding, no_log, strict defaults
- Add no_log: true to tasks that handle passwords/secrets
- Tighten config file permissions (0644 -> 0600/0640 where appropriate)
- Bind pleroma to 127.0.0.1 instead of 0.0.0.0
- Tighten ergo unix socket mode 0777 -> 0770
- Remove weak defaults; roles now fail explicitly if required vars not set
Diffstat (limited to 'ergo/templates/config.yaml.j2')
| -rw-r--r-- | ergo/templates/config.yaml.j2 | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/ergo/templates/config.yaml.j2 b/ergo/templates/config.yaml.j2 index c2e22a8..edc0bd0 100644 --- a/ergo/templates/config.yaml.j2 +++ b/ergo/templates/config.yaml.j2 @@ -77,7 +77,7 @@ server: # the default is 0775 or 0755, which prevents other users/groups from connecting # to the socket. With 0777, it behaves like a normal TCP socket # where anyone can connect. - unix-bind-mode: 0777 + unix-bind-mode: 0770 # configure the behavior of Tor listeners (ignored if you didn't enable any): tor-listeners: |