sorb/axion1337.chat-gitops
1
0
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects 1 Releases 3 Wiki Activity

Update TASKS.md: Mark 3 CRITICAL tasks complete

Browse Source 
- Authentik Stage 2: OIDC integration verified (login working)
- Hetzner Cloud Firewall: Configured & optimized
- SSH Hardening: Key-only auth, no root, rate limiting verified

Updated status: 9 completed, 0 in-progress, 11+ pending
All 3 CRITICAL security tasks done. Next: Database Backups

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
This commit is contained in:
Scrublord MacBad 2026-05-15 13:48:00 +02:00
parent cdfbf7de98
commit c32f951716
1 changed files with 68 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

119
docs/TASKS.md
View File

@ -1,7 +1,7 @@
# aXion1337.Chat Task List & Meilensteine # aXion1337.Chat Task List & Meilensteine
**Last Updated**: 2026-05-14 **Last Updated**: 2026-05-15
**Statusübersicht**: [✅ 6 Abgeschlossen] [🔄 1 In Progress] [📋 15+ Pending] [🔒 10 Security] **Statusübersicht**: [✅ 9 Abgeschlossen] [🔄 0 In Progress] [📋 11+ Pending] [🔒 10 Security]
--- ---
@ -9,10 +9,10 @@
| Kategorie | Count | Status | Details | | Kategorie | Count | Status | Details |
|-----------|-------|--------|---------| |-----------|-------|--------|---------|
| **Completed** | 6 | ✅ Done | K3S, Flux, ESS, Themes, Desktop, Monitoring, TURN | | **Completed** | 9 | ✅ Done | K3S, Flux, ESS, Themes, Desktop, Monitoring, TURN, Authentik, Firewall, SSH |
| **In Progress** | 1 | 🔄 Blocked | Authentik Stage 2 (awaiting manual config) | | **In Progress** | 0 | 🔄 — | — |
| **Backlog** | 15+ | 📋 Pending | Element Call Fork, DB Backups, NetworkPolicies, etc. | | **Backlog** | 11+ | 📋 Pending | DB Backups, E2E Test, Element Call Fork, PostgreSQL Migration, NetworkPolicies |
| **Security Tasks** | 10 | 🔒 Pending | Firewall, SSH, auditd, Kernel hardening, CrowdSec, Falco | | **Security Tasks** | 5 | 🔒 Pending | auditd, Kernel hardening, CrowdSec, Falco, WAF |
### Priority Distribution ### Priority Distribution
@ -28,35 +28,34 @@
## 🎯 Next Steps (Priorisiert) ## 🎯 Next Steps (Priorisiert)
### 🔴 **THIS WEEK CRITICAL** ### 🔴 **THIS WEEK CRITICAL**
1. **Authentik Stage 2 abschließen** 1. **Authentik Stage 2 abschließen**
- Manual: OIDC Provider + Application in Authentik UI erstellen - Manual: OIDC Provider + Application in Authentik UI erstellt
- Code: `upstream_oauth2_config` in `mas-secret.yaml` einfügen - Code: `upstream_oauth2_config` in `mas-secret.yaml` eingefügt
- Code: `passwords: enabled: false` aktivieren - Code: `passwords: enabled: false` aktiviert
- Commit: `enable-authentik-oidc-integration-in-mas` - ✅ Commit: `cdfbf7d` - Enable Authentik OIDC integration in MAS
- Est. Time: 12 hours - ✅ Verified: Login mit Authentik funktioniert (2026-05-15)
- Blocker: Manual Authentik config (user action) - **Status**: COMPLETE
2. **Hetzner Cloud Firewall Default-Deny Setup** 2. ✅ **Hetzner Cloud Firewall Optimierte Konfiguration**
- Ingress: Allow 80/443 only - ✅ Ingress: 80/443 + TURN/STUN + RTC Services
- Allow SSH from your IP or via WireGuard/Tailscale - ✅ SSH: Spezifische IPs (port 2248, nicht 22)
- Est. Time: 30 min - ✅ Default-Deny für nicht-definierte Traffic
- Cost: Free - **Status**: COMPLETE (optimiert über Plan)
- Impact: Blocks 99% of internet background noise
3. **SSH Hardening** 3. ✅ **SSH Hardening**
- Disable password auth (key-only) - ✅ PasswordAuthentication: no (key-only)
- Disable root login - ✅ PermitRootLogin: no (root disabled)
- MaxAuthTries 3 - ✅ MaxAuthTries: 3 (verified 2026-05-15)
- Est. Time: 12 hours - **Status**: COMPLETE
- Priority: HIGH
4. **Database Backup Strategy Decision & First Backup** 4. **Database Backup Strategy Decision & First Backup**
- Decision: CloudNativePG (on K3S) or Hetzner Postgres (managed)? - Decision: CloudNativePG (on K3S) or Hetzner Postgres (managed)?
- Setup: Daily automated backups - Setup: Daily automated backups
- Setup: Off-site storage (S3 / Storage Box) - Setup: Off-site storage (S3 / Storage Box)
- Setup: Monthly verified restores - Setup: Monthly verified restores
- Est. Time: 23 days - Est. Time: 23 days
- Priority: CRITICAL (disaster recovery) - Priority: CRITICAL (disaster recovery)
- **Status**: NEXT
### 🟠 **NEXT 12 WEEKS HIGH** ### 🟠 **NEXT 12 WEEKS HIGH**
1. **Authentik End-to-End Test** 1. **Authentik End-to-End Test**
@ -152,15 +151,18 @@
- Cert-Manager für TLS - Cert-Manager für TLS
- Commit: `deploy-authentik-as-identity-provider-for-matrix-stage-1` - Commit: `deploy-authentik-as-identity-provider-for-matrix-stage-1`
- Status: ✅ Deployed - Status: ✅ Deployed
- Manual: Admin-Passwort setzen + OIDC Provider erstellen (erforderlich) - Manual: Admin-Passwort + OIDC Provider + Application + Enrollment Flow erstellt ✅
🔄 **[IN PROGRESS] Authentik Stage 2 MAS Integration** - [x] **Authentik Stage 2 MAS Integration**
- [ ] **MAS Upstream OIDC Konfiguration** - ✅ Authentik Admin UI: OIDC Provider erstellt (Authentik)
- Client ID/Secret aus Authentik Admin UI kopieren - ✅ Authentik Admin UI: Application mit Slug `matrix` erstellt
- `upstream_oauth2_config` in `mas-secret.yaml` einfügen - ✅ Authentik Admin UI: Enrollment Flow mit Invitation Stage konfiguriert
- `passwords: enabled: false` - ✅ Client ID + Secret kopiert
- Commit: (pending) - ✅ MAS `upstream_oauth2_config` mit Client Credentials aktualisiert
- Status: ⏳ Wartet auf manuelle Authentik-Konfiguration - ✅ `passwords: enabled: false` aktiviert
- ✅ Commit: `cdfbf7d` - Enable Authentik OIDC integration in MAS
- ✅ Verified: Login mit Authentik funktioniert (2026-05-15)
- Status: ✅ Deployed & Verified
### Phase 6: Dokumentation ### Phase 6: Dokumentation
- [x] **Deployment Guides erstellen** - [x] **Deployment Guides erstellen**
@ -170,24 +172,39 @@
- Commit: `add-comprehensive-deployment-configuration-documentation` - Commit: `add-comprehensive-deployment-configuration-documentation`
- Status: ✅ Deployed - Status: ✅ Deployed
- [x] **Gitea Wiki erstellen**
- Home.md mit Navigation
- Alle Deployment Guides in Root
- Operations + Archive Dokumentation
- Wiki Branch gepusht zu rohana.axion1337.de
- Status: ✅ Live
- [x] **Gitea Issues & Project Board**
- 8 Issues erstellt (#3-#10): 4 CRITICAL + 4 HIGH
- Priority Labels: critical, high
- Area Labels: authentik, security, database, infrastructure, element
- Status: ✅ Tracking
### Phase 7: Infrastructure Security (Critical)
- [x] **Hetzner Cloud Firewall Configuration**
- SSH: Spezifische IPs (port 2248)
- HTTP/HTTPS: Any IPv4/IPv6
- TURN/STUN: WebRTC Ports
- RTC Services: SFU + Auth Ports
- Status: ✅ Optimiert & Deployed
- [x] **SSH Hardening**
- PasswordAuthentication: no (key-only)
- PermitRootLogin: no
- MaxAuthTries: 3
- Verified: 2026-05-15
- Status: ✅ Complete
--- ---
## 🔄 In Progress / Blocked ## 🔄 In Progress / Blocked
### Authentik Stage 2 MAS Integration (⏳ Depends on Manual Config) **None** Alle CRITICAL Tasks erledigt! Nächster Focus: Database Backups
**Beschreibung**: Authentik OIDC Provider muss manuell im Authentik Admin UI konfiguriert werden, bevor Stage 2 Deployment möglich ist.
**Schritte**:
1. ✅ Authentik Stage 1 Deployment (done)
2. ⏳ Authentik Admin UI: OIDC Provider erstellen (MANUAL - user action)
3. ⏳ Authentik Admin UI: Application mit Slug `matrix` erstellen (MANUAL - user action)
4. ⏳ Authentik Admin UI: Enrollment Flow mit Invitation Stage (MANUAL - user action)
5. ⏳ Authentik Admin UI: Client ID + Secret kopieren (MANUAL - user action)
6. 📋 MAS `upstream_oauth2_config` mit Client Credentials aktualisieren
7. 📋 `passwords: enabled: false` aktivieren
8. 📋 Commit + Push
**Blocker**: Manuelle Authentik-Konfiguration (wartet auf Benutzer)
--- ---