From 06b69bd8def0aae07d3fb565d19193be1a8dfe20 Mon Sep 17 00:00:00 2001
From: Luke Hoersten <luke@hoersten.org>
Date: Sun, 5 Apr 2026 21:19:55 -0500
Subject: Harden role security: file permissions, service binding, no_log,
 strict defaults

- Add no_log: true to tasks that handle passwords/secrets
- Tighten config file permissions (0644 -> 0600/0640 where appropriate)
- Bind pleroma to 127.0.0.1 instead of 0.0.0.0
- Tighten ergo unix socket mode 0777 -> 0770
- Remove weak defaults; roles now fail explicitly if required vars not set
---
 rpi-base/tasks/main.yaml | 1 +
 1 file changed, 1 insertion(+)

(limited to 'rpi-base')

diff --git a/rpi-base/tasks/main.yaml b/rpi-base/tasks/main.yaml
index c2701bf..9be6aad 100644
--- a/rpi-base/tasks/main.yaml
+++ b/rpi-base/tasks/main.yaml
@@ -69,6 +69,7 @@
     groups: "sudo,users"
     shell: "/bin/bash"
     append: yes
+  no_log: true
 
 - name: authorize ssh keys
   become: yes
-- 
cgit v1.2.3