- Update terraform main.tf and variables.tf for infrastructure changes
- Modify stackscripts/essentials.sh provisioning
- Adjust setup script for deployment workflow
Note: Includes various infrastructure hardening and configuration updates
- Change default ALERTMANAGER_EMAIL_TO from admin@localhost to domain-based
- Use alerts@auth.jfraeys.com as default (configurable via env/vault)
- Remove hardcoded localhost email reference
Fixes: Alert delivery to proper domain email instead of localhost
- Enable SMTP with GF_SMTP_ENABLED: true
- Configure internal Postfix relay (postfix:25)
- Set FROM address to grafana@grafana.jfraeys.com
- Disable TLS verification for internal relay (GF_SMTP_SKIP_VERIFY)
- Clear username/password for unauthenticated internal relay
Note: Grafana role currently commented out in playbook (1GB node constraint)
- Add Python script to extract certificates from Traefik acme.json
- Mount extracted certs to /etc/ssl in container for TLS support
- Enable smtpd_tls_security_level: may for incoming STARTTLS
- Remove failed_when: false on cert extraction to catch failures early
- Fix relayhost username to default to password (Postmark server token auth)
- Change default Postmark port from 2525 to 587 (blocked on some networks)
- Create SSL directory before extraction
Fixes: SMTP authentication failures and enables TLS for Authelia password reset
- Change setup.sh references to setup for consistency
- Update Overview examples to show active services (git, auth, app)
- Add note to Grafana section about DNS being commented out
- All changes now accurately reflect current infrastructure state
- Comment out grafana_services_a, grafana_services_aaaa DNS records
- Comment out prometheus_services_a, prometheus_services_aaaa DNS records
- Keep app_services_a, app_services_aaaa active (user will use app)
- Update README DNS section to show app as active, grafana/prometheus commented out
- Update Role layout to reflect app is active
- Update Alerting section to show IMPLEMENTED status
- Add Postfix/Postmark email to Runtime platform list
- Update Forgejo description to mention AI scrapers blocklist
- Add Email variables section with Postmark configuration
- Update section title to include email implementation
- Add Email section with Postfix/Postmark configuration
- Document DNS records (DKIM, return-path, DMARC) for email
- Update Forgejo section with AI scrapers blocklist and OIDC details
- Update Role layout to include Postfix and Traefik file provider notes
- Add Notes about Traefik Docker API workaround and Postfix port 2525
- Add DKIM, return-path (CNAME), and DMARC DNS records to Terraform
- Add example variables for Postmark integration to vault.example.yml
- Update .gitignore patterns
- Add AI scrapers robots.txt update script with weekly cron job
- Add OIDC group claim and admin group configuration for Authelia
- Add UI settings (SHOW_USER_EMAIL: false)
- Increase memory limit to 512M
- Change default relay port from 587 to 2525 (Postmark)
- Add Docker provider environment variables for API version compatibility
- Configure for Postmark server token authentication
- Add vault vars include with traefik tag for CF_DNS_API_TOKEN availability
- Add Docker provider socket and API version to home compose
- Add Forgejo router to file provider as fallback (Docker provider broken due to API version mismatch)
- Fixes 404 errors on git.jfraeys.com when Docker provider fails
- Delete playbooks/app.yml (replaced by deploy-app.yml)
- Delete playbooks/test_config.yml (moved to playbooks/tests/)
- Delete setup.sh (renamed to setup)
- Update deploy.yml with improved deployment orchestration
- Update services.yml to include new infrastructure roles
- Add deploy-app.yml playbook for application-specific deployments
- Add web.yml playbook for web infrastructure management
- Restructure tests/test_config.yml for better organization
- Update inventory/group_vars/all.yml with new hostnames and settings
- Systemd service and timer for deployment orchestration
- Webhook listener for Git-triggered deployments
- Forgejo Actions workflow for CI/CD pipeline
- Deployment scripts with rollback capability
- Deploy token validation for security
- Add Redis cache support to Forgejo for improved performance
- Add AI scrapers blocking with update script and robots.txt
- Update Forgejo runner tasks with improved caching support
- Add OIDC authentication configuration tasks
- Add firewall role for UFW/iptables management
- Add fail2ban role for intrusion prevention with Docker-aware jails
- Add postfix role for mail relay capabilities
- Add backups role for automated infrastructure backups
- systemd timer for scheduled backups
- Backup scripts for Docker volumes and configurations
- Update README.md with current architecture documentation
- Add INFRA_GAP_ANALYSIS.md for tracking infrastructure improvements
- Add .python-version for pyenv version management
- Rename setup.sh to setup (drop extension for cleaner CLI)
- Update ansible.cfg for improved playbook execution
- Update .env.example with current environment variables
- Add --scope {user,org,repo} (default user) to upsert Actions secrets\n- Keep repo support and add --org for org scope\n- Include security caveat in CLI help and warning output
- Persist runner registration state by setting container working_dir to /data\n- Add post-register assertion that /opt/forgejo-runner/data/.runner exists
- Add --help and ansible-only/no-terraform modes\n- Add basic prereq checks and clearer error messages\n- Update README with new setup options and python requirements for helper scripts
- Add infra_controller role to provision a dedicated user\n- Install register/deregister forced-command authorized_keys entries\n- Read SSH public keys from vault/env and restrict access by source IP
- Document required register/deregister SSH keys for controller workflows\n- Update vault.example.yml with FORGEJO_API_TOKEN and SSH public key placeholders
- Add app_ssh_access role to install forced-command keys for infra-register-stdin and infra-deregister\n- Ensure required infra-controller runtime directories exist on services host\n- Add helper script to generate/register both Actions SSH secrets and update vault public keys
