Harden role security: file permissions, service binding, no_log, strict defaults

- Add no_log: true to tasks that handle passwords/secrets - Tighten config file permissions (0644 -> 0600/0640 where appropriate) - Bind pleroma to 127.0.0.1 instead of 0.0.0.0 - Tighten ergo unix socket mode 0777 -> 0770 - Remove weak defaults; roles now fail explicitly if required vars not set
author: Luke Hoersten <[email protected]> 2026-04-05 21:19:55 -0500
committer: Luke Hoersten <[email protected]> 2026-04-05 21:19:55 -0500
commit: 06b69bd8def0aae07d3fb565d19193be1a8dfe20 (patch)
tree: 1bf679924a56775f356bc1c378f629264edd1ca8 /pleroma/otp
parent: 0b402a7a0a773dfa40e5549235941cd1217617d3 (diff)
2 files changed, 2 insertions, 1 deletions
diff --git a/pleroma/otp/tasks/instance.yaml b/pleroma/otp/tasks/instance.yaml
index 9bb67ac..d8983e4 100644
--- a/pleroma/otp/tasks/instance.yaml
+++ b/pleroma/otp/tasks/instance.yaml
@@ -38,6 +38,7 @@
   become_user: "{{pleroma_db_superuser}}"
   command: "psql -f /tmp/setup_db_{{pleroma_instance}}.psql"
   changed_when: false
+  no_log: true
 
 - include_tasks: soapbox.yaml
   when: pleroma_soapbox
diff --git a/pleroma/otp/templates/config.exs.j2 b/pleroma/otp/templates/config.exs.j2
index 05187cf..0db1828 100644
--- a/pleroma/otp/templates/config.exs.j2
+++ b/pleroma/otp/templates/config.exs.j2
@@ -2,7 +2,7 @@ import Config
 
 config :pleroma, Pleroma.Web.Endpoint,
   url: [host: "{{pleroma_link_host}}", scheme: "{{pleroma_link_scheme}}", port: {{pleroma_link_port}}],
-  http: [port: {{pleroma_port}}, ip: {0, 0, 0, 0}],
+  http: [port: {{pleroma_port}}, ip: {127, 0, 0, 1}],
   secret_key_base: "{{pleroma_secret_key}}",
   secure_cookie_flag: true
author	Luke Hoersten <[email protected]>	2026-04-05 21:19:55 -0500
committer	Luke Hoersten <[email protected]>	2026-04-05 21:19:55 -0500
commit	06b69bd8def0aae07d3fb565d19193be1a8dfe20 (patch)
tree	1bf679924a56775f356bc1c378f629264edd1ca8 /pleroma/otp
parent	0b402a7a0a773dfa40e5549235941cd1217617d3 (diff)