Commit Graph

  • c6b0f7d418 Merge pull request 'feat(copyparty): add file-server deployment with SFTP/FTPS + security-notices updater' (#5) from claude/agitated-bose-f427e5 into main main 57_Wolve 2026-06-29 20:57:39 +00:00
  • c00ca055f2 feat(copyparty): add file-server deployment with SFTP/FTPS + security-notices updater 57_Wolve 2026-06-29 15:56:24 -05:00
  • cd402ba79e Merge pull request 'feat(squid): add SSL-bump caching forward-proxy deployment' (#4) from feat/squid-proxy into main 57_Wolve 2026-06-22 21:33:34 +00:00
  • e7ba68790b Done — the Squid deployment is fully built, wired in, and statically verified on the feat/squid-proxy branch. ## What landed deployments/squid/ (13 files) plus wiring into [automations.sh](automations.sh:51), [README.md](README.md), and [.gitignore](.gitignore). All six approved design decisions are implemented: - **Self-built minimal Alpine image** — apk add squid (ssl-bump compiled in), openssl/tini. [entrypoint.sh](deployments/squid/entrypoint.sh) renders squid.conf and generates the cache policy from the lists at start. - **SSL-bump** peek→splice→bump with [splice-domains.txt](deployments/squid/splice-domains.txt) passthrough. - **Wildcard hostname caching** — leading-dot [cache-domains.txt](deployments/squid/cache-domains.txt) + optional regex; CACHE_ONLY_LISTED boost/allowlist toggle. - **HTML/dynamic storage gate**, with query strings exempt on boosted domains. - **CA lifecycle** — generated on first deploy via the built image, key 0600 on the host, staged to tmpfs for the container, never embedded, git-ignored. - **Deny-by-default http_access + BIND_ADDR pinning** as the real access gate (Docker bypasses INPUT). ## One bug caught & fixed The test of the entrypoint's policy generation showed it emitting ubuntu.com with an **unescaped dot** — the s/\./\\./g double-backslash is sed-implementation-dependent and silently failed. Switched to a [.] character class (ubuntu[.]com), portable across busybox/git-bash, re-embedded, re-audited. ## Verified vs. pending **Verified locally:** bash -n on all scripts, LF endings, launcher parses, embedded archive byte-matches the loose files, and the cache-policy generation produces correct Squid directives in both modes. **Pending a Docker host** (this Windows box has none, as the plan anticipated): the container functional smoke test — build, CA mint, a bumped HTTPS fetch, a TCP_HIT, and a splice check. A few version-sensitive specifics get confirmed there: tls-cert=/tls-key= option names, the security_file_certgen path, busybox install -o/-g, ssl::server_name subdomain matching, and the squid -z flag. (All isolated and easy to adjust if any differ.) ## Commit (for you to GPG-sign) Staged and ready. Per your convention I haven't committed — here's the message: `` feat(squid): add SSL-bump caching forward-proxy deployment New deployments/squid/: an explicit forward proxy with SSL-bump TLS interception (local CA, generated on first deploy) and hostname-targeted static-content caching. Unlike the other stacks it is a forward proxy, not a Caddy/Let's-Encrypt inbound site. - Self-built minimal Alpine image (apk squid ships ssl-bump); entrypoint renders squid.conf and generates the cache policy from the domain lists. - Wildcard hostname caching (cache-domains.txt leading-dot + optional cache-domains.regex); boost vs strict-allowlist toggle (CACHE_ONLY_LISTED). - Storage gate never caches HTML or dynamic content; query strings exempt on boosted domains so versioned static assets still cache. - splice-domains.txt passthrough for pinned/banking domains. - Deny-by-default http_access (TRUSTED_CIDR) + BIND_ADDR pinning; CA key 0600 on host, never embedded, git-ignored. - Wired into automations.sh, README, .gitignore; cloud-init for fresh VMs. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> ` `bash git commit -S -F- <<'EOF' <paste message above> EOF ` Want me to **push feat/squid-proxy** once you've committed (you'd open the PR in Gitea), or hold? And if you can point me at a Docker host (or run docker compose build in /srv/squid` after a test deploy), I'll drive the functional smoke test and fix anything the live Squid version flags. 57_Wolve 2026-06-22 16:32:25 -05:00
  • 70d3019a1c feat(kanrisha): add two-phase deployment scaffold (host prep + ScoutFS) feat/kanrisha-deployment 57_Wolve 2026-06-14 20:35:37 -05:00
  • 8555f7cbe4 Merge pull request 'feat(firewall): drive firewalld on Alma/RHEL with full CLI parity' (#3) from fix/alma-harden-resilience into main 57_Wolve 2026-06-14 22:42:55 +00:00
  • fe25f35305 feat(firewall): drive firewalld on Alma/RHEL with full CLI parity 57_Wolve 2026-06-14 17:16:24 -05:00
  • 4b02cac919 Merge pull request 'fix(oslib): install_openssh must not report failure on non-Alpine' (#2) from fix/alma-harden-resilience into main 57_Wolve 2026-06-14 22:00:53 +00:00
  • c3e2e9c52b fix(oslib): install_openssh must not report failure on non-Alpine 57_Wolve 2026-06-14 16:59:39 -05:00
  • a844037cb0 Merge pull request 'fix(launcher): install git across all distros in the curl-pipe bootstrap' (#1) from fix/alma-harden-resilience into main 57_Wolve 2026-06-14 21:54:47 +00:00
  • 60433e4c8d fix(harden): keep hardening and the ntfy notifier alive when sshguard can't install 57_Wolve 2026-06-14 16:53:39 -05:00
  • 3c02574dd0 fix(launcher): install git across all distros in the curl-pipe bootstrap 57_Wolve 2026-06-14 16:53:39 -05:00
  • 7e6c1ce7d1 Update globals/authorized_keys 57_Wolve 2026-06-14 21:07:45 +00:00
  • 13535da3d8 fix(base): drop dead AUTO_UPDATE knob from base.yml 57_Wolve 2026-06-12 17:23:55 -05:00
  • e23557b4fb feat(firewall): add deny-by-default host firewall (harden-firewall.sh) 57_Wolve 2026-06-12 17:06:25 -05:00
  • 73cf299417 feat(headscale): allow-all default ACL with lockdown template 57_Wolve 2026-06-12 16:32:41 -05:00
  • 6a3fc68b75 fix(headscale): valid default ACL + document /admin gating 57_Wolve 2026-06-12 16:17:26 -05:00
  • 1ca79938cd feat(headscale): add headplane web UI at /admin 57_Wolve 2026-06-12 16:15:34 -05:00
  • 573785f2cc feat(headscale): add file-based ACL policy 57_Wolve 2026-06-12 16:04:24 -05:00
  • 25f20037e9 feat(headscale): pin OIDC PKCE to S256 explicitly 57_Wolve 2026-06-12 15:55:06 -05:00
  • 74b34550bc feat(headscale): install host headscale CLI wrapper 57_Wolve 2026-06-12 15:52:35 -05:00
  • ecad11c416 feat(headscale): print OIDC callback URL after deploy 57_Wolve 2026-06-12 15:51:11 -05:00
  • c5f5be6f3f docs: add "About this repo" intro to README 57_Wolve 2026-06-12 15:27:50 -05:00
  • 8fbeb8f6b0 feat: unified launcher, multi-OS hardening, login alerts & auto-updates 57_Wolve 2026-06-12 15:24:30 -05:00
  • 7faa9098de feat: unified launcher, multi-OS hardening, login alerts & auto-updates 57_Wolve 2026-06-12 14:56:02 -05:00
  • 85eeb79971 Update scripts/harden-ssh.sh 57_Wolve 2026-06-12 18:16:27 +00:00
  • 991758de4b Update deployments/pocket-id/deploy.sh 57_Wolve 2026-05-04 17:30:22 +00:00
  • d0977bcbe8 Upload files to "deployments/pocket-id" 57_Wolve 2026-05-04 17:15:05 +00:00
  • aef47c835a Upload files to "scripts" 57_Wolve 2026-05-04 17:14:17 +00:00