From 06b69bd8def0aae07d3fb565d19193be1a8dfe20 Mon Sep 17 00:00:00 2001
From: Luke Hoersten <luke@hoersten.org>
Date: Sun, 5 Apr 2026 21:19:55 -0500
Subject: Harden role security: file permissions, service binding, no_log,
 strict defaults

- Add no_log: true to tasks that handle passwords/secrets
- Tighten config file permissions (0644 -> 0600/0640 where appropriate)
- Bind pleroma to 127.0.0.1 instead of 0.0.0.0
- Tighten ergo unix socket mode 0777 -> 0770
- Remove weak defaults; roles now fail explicitly if required vars not set
---
 miniflux/defaults/main.yaml | 2 +-
 miniflux/tasks/main.yaml    | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

(limited to 'miniflux')

diff --git a/miniflux/defaults/main.yaml b/miniflux/defaults/main.yaml
index 5061613..17788ef 100644
--- a/miniflux/defaults/main.yaml
+++ b/miniflux/defaults/main.yaml
@@ -1,7 +1,7 @@
 ---
 
 miniflux_port: "8555"
-miniflux_admin_pass: "admin"
+# miniflux_admin_pass: — required, set in host_vars
 miniflux_arch: "arm64"
 # https://github.com/miniflux/miniflux/releases
 miniflux_version: "2.2.18"
diff --git a/miniflux/tasks/main.yaml b/miniflux/tasks/main.yaml
index 2838824..ffa6d0f 100644
--- a/miniflux/tasks/main.yaml
+++ b/miniflux/tasks/main.yaml
@@ -11,7 +11,7 @@
     dest: "/usr/local/bin/miniflux"
     owner: "root"
     group: "root"
-    mode: "0755"
+    mode: "0600"
 
 - name: configure miniflux
   become: yes
@@ -20,8 +20,9 @@
     dest: "/etc/miniflux.conf"
     owner: "root"
     group: "root"
-    mode: "0755"
+    mode: "0600"
   notify: restart miniflux service
+  no_log: true
 
 - name: install miniflux schema file
   become: yes
@@ -37,6 +38,7 @@
   become_user: "postgres"
   command: "psql -f /tmp/setup_db_miniflux.psql"
   changed_when: false
+  no_log: true
 
 - name: install systemd service
   become: yes
-- 
cgit v1.2.3