From 06b69bd8def0aae07d3fb565d19193be1a8dfe20 Mon Sep 17 00:00:00 2001
From: Luke Hoersten <luke@hoersten.org>
Date: Sun, 5 Apr 2026 21:19:55 -0500
Subject: Harden role security: file permissions, service binding, no_log,
 strict defaults

- Add no_log: true to tasks that handle passwords/secrets
- Tighten config file permissions (0644 -> 0600/0640 where appropriate)
- Bind pleroma to 127.0.0.1 instead of 0.0.0.0
- Tighten ergo unix socket mode 0777 -> 0770
- Remove weak defaults; roles now fail explicitly if required vars not set
---
 ergo/tasks/main.yaml          | 3 ++-
 ergo/templates/config.yaml.j2 | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

(limited to 'ergo')

diff --git a/ergo/tasks/main.yaml b/ergo/tasks/main.yaml
index 5998713..72f0285 100644
--- a/ergo/tasks/main.yaml
+++ b/ergo/tasks/main.yaml
@@ -43,8 +43,9 @@
     dest: "/etc/ergo/config.yaml"
     owner: "ergo"
     group: "ergo"
-    mode: "0644"
+    mode: "0640"
   notify: reload ergo
+  no_log: true
 
 - name: copy motd file
   become: yes
diff --git a/ergo/templates/config.yaml.j2 b/ergo/templates/config.yaml.j2
index c2e22a8..edc0bd0 100644
--- a/ergo/templates/config.yaml.j2
+++ b/ergo/templates/config.yaml.j2
@@ -77,7 +77,7 @@ server:
     # the default is 0775 or 0755, which prevents other users/groups from connecting
     # to the socket. With 0777, it behaves like a normal TCP socket
     # where anyone can connect.
-    unix-bind-mode: 0777
+    unix-bind-mode: 0770
 
     # configure the behavior of Tor listeners (ignored if you didn't enable any):
     tor-listeners:
-- 
cgit v1.2.3