ai-workspace-infra/gitops
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
446 Commits 107 Branches 1 Tag 1.3 MiB
d475d0aba6
Commit Graph

446 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Haitao Pan
f92eb3cfb7 chasquid role: enhance mail server configuration 
- Install dovecot packages (dovecot-core, dovecot-imapd) alongside chasquid
- Create support user with secure home directory and nologin shell
- Add chasquid user to mail group for proper permissions
- Set cap_net_bind_service capability on chasquid binary
- Disable socket-based activation services (socket, smtp, submission, submission_tls)
- Disable IPv6 system-wide via sysctl
- Add custom systemd service template with security hardening:
  * Standalone mode (Type=simple)
  * CAP_NET_BIND_SERVICE for port binding
  * ProtectSystem, ProtectHome, PrivateTmp, NoNewPrivileges
  * Automatic restart on failure
- Convert systemd service to Jinja2 template for variable support
- Add email test configuration variables (domain, SMTP settings, test recipients)
- Add swaks email test task with variable-based configuration
- Create reboot handler for IPv6 changes
- Add reload systemd daemon handler

Security:
- Binary capabilities instead of running as root
- Comprehensive systemd security features
- NoNewPrivileges to prevent escalation
- Private temporary directory

Testing:
- Automated swaks email sending test
- Display DNS records with DKIM key information
- Configurable email credentials via variables

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-11-10 20:49:22 +08:00
Haitao Pan
136b205e01 firewall role: add UFW mail server firewall configuration 
- Add comprehensive UFW firewall rules for mail server
- Opens essential ports: SSH (22), HTTPS (443), HTTP (80)
- Opens mail ports: SMTP (25), Submission (587), SMTPS (465), IMAPS (993)
- Blocks plaintext ports: POP3 (110), IMAP (143), POP3S (995)
- Allows LMTP (24) from private networks only
- Provides verification output with visual status display
- Default deny all incoming, allow all outgoing
- Security warnings included in output

Features:
- Idempotent UFW configuration
- Configurable via variables
- Clean visual output of all rules
- SSH added first to prevent lockout
- Documentation in defaults/main.yml

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-11-10 20:48:31 +08:00
Haitao Pan
be98544f02 add playbooks/deploy_nginx_vhosts.yml 2025-10-20 16:32:32 +08:00
shenlan
8994af8ce5 Merge pull request #90 from svc-design/codex/fix-undefined-variable-dl_business_host 
Set default dl business host for blackbox exporter role
 2025-10-03 19:27:37 +08:00
shenlan
d3306d36a1 Set default dl business host for blackbox exporter 2025-10-03 18:51:43 +08:00
Haitao Pan
4f40252883 blackbox_exporters: add login/logout/register paths to vhosts 2025-10-03 18:44:08 +08:00
shenlan
6d44d5a150 Merge pull request #89 from svc-design/codex/fix-blackbox_exporter-installation-error 
Fix blackbox exporter install from remote archive
 2025-09-29 21:09:11 +08:00
shenlan
ef6f602882 Fix blackbox exporter install from remote archive 2025-09-29 20:59:41 +08:00
Haitao Pan
648d0cb418 chore(blackbox_exporter): bump default version to 0.27.0 2025-09-29 20:51:27 +08:00
Haitao Pan
ea580c7a7d playbooks: update exporters vhosts and add monitor server 
- deploy_exporters_vhosts.yml: refined configuration and variables
- deploy_monitor_server.yml: introduce new playbook for openobserve + Grafana
 2025-09-29 12:54:09 +08:00
shenlan
c11c7b660b Merge pull request #88 from svc-design/codex/update-blackbox_exporter-download-url 
Update blackbox exporter download URL
 2025-09-29 12:48:41 +08:00
shenlan
9c6839cf8b Update blackbox exporter download source 2025-09-29 12:48:19 +08:00
shenlan
13d44d76c0 Merge pull request #87 from svc-design/codex/fix-undefined-variable-blackbox_archive_name 
Fix blackbox exporter archive facts handling
 2025-09-29 11:33:36 +08:00
shenlan
5f13b01adf Fix blackbox exporter archive variables 2025-09-29 11:21:47 +08:00
Haitao Pan
a9761485ce refactor(blackbox): move exporter defaults into role and simplify vhost playbook vars 2025-09-29 11:06:21 +08:00
Haitao Pan
16f1e5a147 roles/vhosts/common: removed default apt repo config 2025-09-29 10:31:26 +08:00
Haitao Pan
11c2ff2528 update playbooks/deploy_blackbox_exporters_vhosts.yml 2025-09-29 10:31:26 +08:00
shenlan
a1d54e7105 Merge pull request #86 from svc-design/codex/consolidate-node.js-installation-script 
Add Node.js vhost role for macOS and Ubuntu
 2025-09-24 13:33:16 +08:00
shenlan
2771f775e7 Expose Node.js version in Ubuntu role messaging 2025-09-24 13:33:06 +08:00
shenlan
67ea6a03b5 Merge pull request #85 from svc-design/codex/fix-conflicting-values-in-apt-deps 
feat: manage postgres apt keyring via common role
 2025-09-24 13:29:56 +08:00
shenlan
d863fb6926 feat: manage postgres apt keyring via common role 2025-09-24 13:17:43 +08:00
shenlan
7bdbdd51f8 Merge pull request #84 from svc-design/codex/fix-postgresql-apt-repository-configuration 
Configure PostgreSQL repo via common role
 2025-09-23 23:05:08 +08:00
shenlan
5b084478d2 Configure PostgreSQL repo via common role 2025-09-23 23:02:30 +08:00
shenlan
235e4c251d Merge pull request #83 from svc-design/codex/fix-syntax-error-in-main.yml 
Fix blackbox_exporter handler syntax
 2025-09-23 11:31:29 +08:00
shenlan
b62efb9e86 Fix blackbox_exporter handler syntax 2025-09-23 11:30:55 +08:00
shenlan
6e6dbf40d6 Merge pull request #82 from svc-design/codex/fix-undefined-variable-in-blackbox_exporter-task 
Fix blackbox archive fact computation
 2025-09-23 11:03:09 +08:00
shenlan
c7ba57a92e Fix blackbox archive fact computation 2025-09-23 11:02:53 +08:00
shenlan
8652444e49 Merge pull request #81 from svc-design/codex/fix-invalid-task-attribute-in-playbook 
Fix blackbox exporter role handlers
 2025-09-23 10:42:04 +08:00
shenlan
5c85e90a20 Fix blackbox exporter role handlers 2025-09-23 10:39:47 +08:00
shenlan
59056867ba Merge pull request #80 from svc-design/codex/create-playbook-for-blackbox_exporter 
feat: add blackbox exporter vhost role
 2025-09-21 11:41:42 +08:00
shenlan
c5e3f1c6f5 Merge pull request #79 from svc-design/codex/template-variable-for-authorization-header 
Refine otel collector configuration variables
 2025-09-21 11:41:26 +08:00
shenlan
155be33363 chore: refine blackbox exporter tasks 2025-09-21 11:41:03 +08:00
shenlan
c49f097bca Refine otel collector configuration variables 2025-09-21 11:40:16 +08:00
Haitao Pan
13523991e2 ansible(cfg): update defaults to modern baseline (yaml callback, cache, interpreter) 2025-09-20 22:41:27 +08:00
Haitao Pan
05edabae88 ansible(vhosts/common): add OpenResty meta, update common defaults, remove legacy install script 2025-09-20 22:23:37 +08:00
Haitao Pan
3b43bce14c playbooks: add deploy_postgre_vhosts & deploy_redis_vhosts 2025-09-20 14:01:07 +08:00
Haitao Pan
175844176b add scripts/rewrite-cover-history.sh 2025-09-20 07:16:20 +08:00
shenlan
fcffcfce4d Merge pull request #78 from svc-design/codex/template-sensitive-tokens-in-yaml-files 
Template sensitive tokens for xcontrol server
 2025-09-20 06:51:39 +08:00
shenlan
f3d6663ce6 Template sensitive tokens for xcontrol server 2025-09-20 06:50:09 +08:00
shenlan
5b2343cda8 Merge pull request #77 from svc-design/codex/add-deployment-configuration-for-xcontrol-server 
Add XControl server playbook and role
 2025-09-19 22:13:15 +08:00
shenlan
18b43d4329 Add XControl server playbook and role 2025-09-19 22:12:48 +08:00
shenlan
099c2e0fdb Merge pull request #76 from svc-design/codex/update-postgres-playbooks-for-ubuntu-22.04+ 
Add PostgreSQL vhost role for Ubuntu 22.04+
 2025-09-19 22:00:12 +08:00
shenlan
e87181aa49 Add PostgreSQL vhost role for Ubuntu 22.04+ 2025-09-19 21:42:02 +08:00
shenlan
f446676a4b Merge pull request #75 from svc-design/codex/fix-undefined-variable-error-in-ansible 
Add OpenResty vhost defaults
 2025-09-19 20:59:35 +08:00
shenlan
5c92be00be Add OpenResty vhost defaults 2025-09-19 20:59:05 +08:00
Haitao Pan
af165aec8d OpenResty: remove meta/main.yml 2025-09-19 20:54:28 +08:00
shenlan
cce03cd597 Merge pull request #74 from svc-design/codex/fix-ansible-template-error-for-openresty 
Fix autoindex template logic
 2025-09-19 20:50:25 +08:00
shenlan
d550f9b8fa Fix autoindex template logic 2025-09-19 20:49:51 +08:00
shenlan
e2e5f2f4b0 Merge pull request #73 from svc-design/codex/update-openresty-configuration-files 
Add static homepage OpenResty vhost
 2025-09-19 20:41:04 +08:00
shenlan
66cacf91d1 Add static homepage OpenResty vhost 2025-09-19 20:40:51 +08:00