diff options
| author | Luke Hoersten <[email protected]> | 2026-04-05 21:19:55 -0500 |
|---|---|---|
| committer | Luke Hoersten <[email protected]> | 2026-04-05 21:19:55 -0500 |
| commit | 06b69bd8def0aae07d3fb565d19193be1a8dfe20 (patch) | |
| tree | 1bf679924a56775f356bc1c378f629264edd1ca8 /miniflux | |
| parent | 0b402a7a0a773dfa40e5549235941cd1217617d3 (diff) | |
Harden role security: file permissions, service binding, no_log, strict defaults
- Add no_log: true to tasks that handle passwords/secrets
- Tighten config file permissions (0644 -> 0600/0640 where appropriate)
- Bind pleroma to 127.0.0.1 instead of 0.0.0.0
- Tighten ergo unix socket mode 0777 -> 0770
- Remove weak defaults; roles now fail explicitly if required vars not set
Diffstat (limited to 'miniflux')
| -rw-r--r-- | miniflux/defaults/main.yaml | 2 | ||||
| -rw-r--r-- | miniflux/tasks/main.yaml | 6 |
2 files changed, 5 insertions, 3 deletions
diff --git a/miniflux/defaults/main.yaml b/miniflux/defaults/main.yaml index 5061613..17788ef 100644 --- a/miniflux/defaults/main.yaml +++ b/miniflux/defaults/main.yaml @@ -1,7 +1,7 @@ --- miniflux_port: "8555" -miniflux_admin_pass: "admin" +# miniflux_admin_pass: — required, set in host_vars miniflux_arch: "arm64" # https://github.com/miniflux/miniflux/releases miniflux_version: "2.2.18" diff --git a/miniflux/tasks/main.yaml b/miniflux/tasks/main.yaml index 2838824..ffa6d0f 100644 --- a/miniflux/tasks/main.yaml +++ b/miniflux/tasks/main.yaml @@ -11,7 +11,7 @@ dest: "/usr/local/bin/miniflux" owner: "root" group: "root" - mode: "0755" + mode: "0600" - name: configure miniflux become: yes @@ -20,8 +20,9 @@ dest: "/etc/miniflux.conf" owner: "root" group: "root" - mode: "0755" + mode: "0600" notify: restart miniflux service + no_log: true - name: install miniflux schema file become: yes @@ -37,6 +38,7 @@ become_user: "postgres" command: "psql -f /tmp/setup_db_miniflux.psql" changed_when: false + no_log: true - name: install systemd service become: yes |