760cffa3cc
Merge branch 'master' into feature/server-hardening
2026-05-01 03:08:27 +00:00
70bcc797c0
chore: update compose submodule to traefik logging branch
2026-05-01 03:08:21 +00:00
ab78469a29
chore: update compose submodule for traefik logging
2026-05-01 03:06:21 +00:00
ceaf470f8a
fix: add custom traefik fail2ban filters for http-auth and http-botsearch jails
2026-05-01 03:03:08 +00:00
25404466bb
docs: add merge priority order with security hardening as #1 priority
...
- Updated roadmap phase status (Phase 4 complete)
- Added merge priority table with PR #28 (security) at top
- Documented that security must merge before new services exposed
- Added deployment command reference
2026-04-30 18:37:04 +00:00
ed7852ac08
security: remove deployment commands from ai-worker sudo rules
...
ai-worker only needs security audit commands, not deployment access.
Removed:
- nh os switch
- nixos-rebuild switch
Kept:
- Firewall checks (iptables)
- Fail2ban status
- Log inspection (journalctl)
- SSH config (sshd -T)
- Docker service checks
- Network diagnostics
2026-04-30 17:36:13 +00:00
b5b0d4c2d1
security: add restricted sudo for ai-worker with security audit commands
...
- Deployment: nh os switch, nixos-rebuild switch (flake path locked)
- Firewall checks: iptables -L, iptables -S
- Fail2ban: status, banned IPs
- Logs: journalctl for kernel and fail2ban
- SSH config: sshd -T for verification
- Docker: ps, inspect (service health)
- Network: ss -tlnp, /proc/net/tcp
All commands are whitelisted with NOPASSWD.
No shell access, no ALL command - principle of least privilege.
2026-04-30 17:33:05 +00:00
157d84e508
security: harden lazyworkhorse with firewall, fail2ban, SSH hardening
...
- Firewall (default deny):
- Allow only essential ports: SSH(2424), Gitea(2222), HTTP(80), HTTPS(443)
- Rate limit SSH (max 4 new connections/60s)
- Rate limit HTTP/HTTPS (25/minute)
- Drop invalid packets, log dropped packets
- Fail2ban (auto-ban attackers):
- SSH jail: 3 strikes = 1 hour ban
- HTTP auth failures: 5 strikes = 1 hour ban
- HTTP scanning: 2 strikes = 2 hour ban
- Recidive jail: repeat offenders = 1 week ban
- SSH hardening:
- No root login
- Max 3 auth tries, 5 sessions
- 30s login grace time
- No X11/TCP/agent forwarding
- Verbose logging
- Kernel network hardening:
- SYN flood protection (syncookies)
- IP spoofing protection (rp_filter)
- Disable source routing, redirects
- Log martian packets
- Connection tuning for high load
- Audit logging enabled
Ports commented for review (likely internal-only):
- 8000 (Portainer), 4242 (Coms), 5000/8087/8089 (TAK)
2026-04-30 17:10:16 +00:00
30f8ca3863
Add AI model optimizer cron job draft and initial state files
2026-04-28 17:19:45 +00:00
