diff options
| author | Luke Hoersten <[email protected]> | 2026-04-05 21:19:55 -0500 |
|---|---|---|
| committer | Luke Hoersten <[email protected]> | 2026-04-05 21:19:55 -0500 |
| commit | 06b69bd8def0aae07d3fb565d19193be1a8dfe20 (patch) | |
| tree | 1bf679924a56775f356bc1c378f629264edd1ca8 /ergo | |
| parent | 0b402a7a0a773dfa40e5549235941cd1217617d3 (diff) | |
Harden role security: file permissions, service binding, no_log, strict defaults
- Add no_log: true to tasks that handle passwords/secrets
- Tighten config file permissions (0644 -> 0600/0640 where appropriate)
- Bind pleroma to 127.0.0.1 instead of 0.0.0.0
- Tighten ergo unix socket mode 0777 -> 0770
- Remove weak defaults; roles now fail explicitly if required vars not set
Diffstat (limited to 'ergo')
| -rw-r--r-- | ergo/tasks/main.yaml | 3 | ||||
| -rw-r--r-- | ergo/templates/config.yaml.j2 | 2 |
2 files changed, 3 insertions, 2 deletions
diff --git a/ergo/tasks/main.yaml b/ergo/tasks/main.yaml index 5998713..72f0285 100644 --- a/ergo/tasks/main.yaml +++ b/ergo/tasks/main.yaml @@ -43,8 +43,9 @@ dest: "/etc/ergo/config.yaml" owner: "ergo" group: "ergo" - mode: "0644" + mode: "0640" notify: reload ergo + no_log: true - name: copy motd file become: yes diff --git a/ergo/templates/config.yaml.j2 b/ergo/templates/config.yaml.j2 index c2e22a8..edc0bd0 100644 --- a/ergo/templates/config.yaml.j2 +++ b/ergo/templates/config.yaml.j2 @@ -77,7 +77,7 @@ server: # the default is 0775 or 0755, which prevents other users/groups from connecting # to the socket. With 0777, it behaves like a normal TCP socket # where anyone can connect. - unix-bind-mode: 0777 + unix-bind-mode: 0770 # configure the behavior of Tor listeners (ignored if you didn't enable any): tor-listeners: |