Update TASKS.md: Mark 3 CRITICAL tasks complete

- Authentik Stage 2: OIDC integration verified (login working) - Hetzner Cloud Firewall: Configured & optimized - SSH Hardening: Key-only auth, no root, rate limiting verified Updated status: 9 completed, 0 in-progress, 11+ pending All 3 CRITICAL security tasks done. Next: Database Backups Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-05-15 13:48:00 +02:00 · 2026-05-15 13:48:00 +02:00 · c32f951716
commit c32f951716
parent cdfbf7de98
1 changed files with 68 additions and 51 deletions
--- a/docs/TASKS.md
+++ b/docs/TASKS.md
@ -1,7 +1,7 @@
 # aXion1337.Chat – Task List & Meilensteine

-**Last Updated**: 2026-05-14  
-**Statusübersicht**: [✅ 6 Abgeschlossen] [🔄 1 In Progress] [📋 15+ Pending] [🔒 10 Security]
+**Last Updated**: 2026-05-15  
+**Statusübersicht**: [✅ 9 Abgeschlossen] [🔄 0 In Progress] [📋 11+ Pending] [🔒 10 Security]

 ---

@ -9,10 +9,10 @@

 | Kategorie | Count | Status | Details |
 |-----------|-------|--------|---------|
-| **Completed** | 6 | ✅ Done | K3S, Flux, ESS, Themes, Desktop, Monitoring, TURN |
-| **In Progress** | 1 | 🔄 Blocked | Authentik Stage 2 (awaiting manual config) |
-| **Backlog** | 15+ | 📋 Pending | Element Call Fork, DB Backups, NetworkPolicies, etc. |
-| **Security Tasks** | 10 | 🔒 Pending | Firewall, SSH, auditd, Kernel hardening, CrowdSec, Falco |
+| **Completed** | 9 | ✅ Done | K3S, Flux, ESS, Themes, Desktop, Monitoring, TURN, Authentik, Firewall, SSH |
+| **In Progress** | 0 | 🔄 — | — |
+| **Backlog** | 11+ | 📋 Pending | DB Backups, E2E Test, Element Call Fork, PostgreSQL Migration, NetworkPolicies |
+| **Security Tasks** | 5 | 🔒 Pending | auditd, Kernel hardening, CrowdSec, Falco, WAF |

 ### Priority Distribution

@ -28,35 +28,34 @@
 ## 🎯 Next Steps (Priorisiert)

 ### 🔴 **THIS WEEK – CRITICAL**
-1. **Authentik Stage 2 abschließen**
-   - Manual: OIDC Provider + Application in Authentik UI erstellen
-   - Code: `upstream_oauth2_config` in `mas-secret.yaml` einfügen
-   - Code: `passwords: enabled: false` aktivieren
-   - Commit: `enable-authentik-oidc-integration-in-mas`
-   - Est. Time: 1–2 hours
-   - Blocker: Manual Authentik config (user action)
+1. ✅ **Authentik Stage 2 abschließen**
+   - ✅ Manual: OIDC Provider + Application in Authentik UI erstellt
+   - ✅ Code: `upstream_oauth2_config` in `mas-secret.yaml` eingefügt
+   - ✅ Code: `passwords: enabled: false` aktiviert
+   - ✅ Commit: `cdfbf7d` - Enable Authentik OIDC integration in MAS
+   - ✅ Verified: Login mit Authentik funktioniert (2026-05-15)
+   - **Status**: COMPLETE

-2. **Hetzner Cloud Firewall – Default-Deny Setup**
-   - Ingress: Allow 80/443 only
-   - Allow SSH from your IP or via WireGuard/Tailscale
-   - Est. Time: 30 min
-   - Cost: Free
-   - Impact: Blocks 99% of internet background noise
+2. ✅ **Hetzner Cloud Firewall – Optimierte Konfiguration**
+   - ✅ Ingress: 80/443 + TURN/STUN + RTC Services
+   - ✅ SSH: Spezifische IPs (port 2248, nicht 22)
+   - ✅ Default-Deny für nicht-definierte Traffic
+   - **Status**: COMPLETE (optimiert über Plan)

-3. **SSH Hardening**
-   - Disable password auth (key-only)
-   - Disable root login
-   - MaxAuthTries 3
-   - Est. Time: 1–2 hours
-   - Priority: HIGH
+3. ✅ **SSH Hardening**
+   - ✅ PasswordAuthentication: no (key-only)
+   - ✅ PermitRootLogin: no (root disabled)
+   - ✅ MaxAuthTries: 3 (verified 2026-05-15)
+   - **Status**: COMPLETE

 4. **Database Backup Strategy – Decision & First Backup**
-   - Decision: CloudNativePG (on K3S) or Hetzner Postgres (managed)?
-   - Setup: Daily automated backups
-   - Setup: Off-site storage (S3 / Storage Box)
-   - Setup: Monthly verified restores
+   - ⏳ Decision: CloudNativePG (on K3S) or Hetzner Postgres (managed)?
+   - ⏳ Setup: Daily automated backups
+   - ⏳ Setup: Off-site storage (S3 / Storage Box)
+   - ⏳ Setup: Monthly verified restores
   - Est. Time: 2–3 days
   - Priority: CRITICAL (disaster recovery)
+   - **Status**: NEXT

 ### 🟠 **NEXT 1–2 WEEKS – HIGH**
 1. **Authentik End-to-End Test**
@ -152,15 +151,18 @@
  - Cert-Manager für TLS
  - Commit: `deploy-authentik-as-identity-provider-for-matrix-stage-1`
  - Status: ✅ Deployed
-  - Manual: Admin-Passwort setzen + OIDC Provider erstellen (erforderlich)
+  - Manual: Admin-Passwort + OIDC Provider + Application + Enrollment Flow erstellt ✅

-🔄 **[IN PROGRESS] Authentik Stage 2 – MAS Integration**
- [ ] **MAS Upstream OIDC Konfiguration**
-  - Client ID/Secret aus Authentik Admin UI kopieren
-  - `upstream_oauth2_config` in `mas-secret.yaml` einfügen
-  - `passwords: enabled: false`
-  - Commit: (pending)
-  - Status: ⏳ Wartet auf manuelle Authentik-Konfiguration
+- [x] **Authentik Stage 2 – MAS Integration**
+  - ✅ Authentik Admin UI: OIDC Provider erstellt (Authentik)
+  - ✅ Authentik Admin UI: Application mit Slug `matrix` erstellt
+  - ✅ Authentik Admin UI: Enrollment Flow mit Invitation Stage konfiguriert
+  - ✅ Client ID + Secret kopiert
+  - ✅ MAS `upstream_oauth2_config` mit Client Credentials aktualisiert
+  - ✅ `passwords: enabled: false` aktiviert
+  - ✅ Commit: `cdfbf7d` - Enable Authentik OIDC integration in MAS
+  - ✅ Verified: Login mit Authentik funktioniert (2026-05-15)
+  - Status: ✅ Deployed & Verified

 ### Phase 6: Dokumentation
 - [x] **Deployment Guides erstellen**
@ -170,24 +172,39 @@
  - Commit: `add-comprehensive-deployment-configuration-documentation`
  - Status: ✅ Deployed

+- [x] **Gitea Wiki erstellen**
+  - Home.md mit Navigation
+  - Alle Deployment Guides in Root
+  - Operations + Archive Dokumentation
+  - Wiki Branch gepusht zu rohana.axion1337.de
+  - Status: ✅ Live
+
+- [x] **Gitea Issues & Project Board**
+  - 8 Issues erstellt (#3-#10): 4 CRITICAL + 4 HIGH
+  - Priority Labels: critical, high
+  - Area Labels: authentik, security, database, infrastructure, element
+  - Status: ✅ Tracking
+
+### Phase 7: Infrastructure Security (Critical)
+- [x] **Hetzner Cloud Firewall Configuration**
+  - SSH: Spezifische IPs (port 2248)
+  - HTTP/HTTPS: Any IPv4/IPv6
+  - TURN/STUN: WebRTC Ports
+  - RTC Services: SFU + Auth Ports
+  - Status: ✅ Optimiert & Deployed
+
+- [x] **SSH Hardening**
+  - PasswordAuthentication: no (key-only)
+  - PermitRootLogin: no
+  - MaxAuthTries: 3
+  - Verified: 2026-05-15
+  - Status: ✅ Complete
+
 ---

 ## 🔄 In Progress / Blocked

-### Authentik Stage 2 – MAS Integration (⏳ Depends on Manual Config)
-**Beschreibung**: Authentik OIDC Provider muss manuell im Authentik Admin UI konfiguriert werden, bevor Stage 2 Deployment möglich ist.
-
-**Schritte**:
-1. ✅ Authentik Stage 1 Deployment (done)
-2. ⏳ Authentik Admin UI: OIDC Provider erstellen (MANUAL - user action)
-3. ⏳ Authentik Admin UI: Application mit Slug `matrix` erstellen (MANUAL - user action)
-4. ⏳ Authentik Admin UI: Enrollment Flow mit Invitation Stage (MANUAL - user action)
-5. ⏳ Authentik Admin UI: Client ID + Secret kopieren (MANUAL - user action)
-6. 📋 MAS `upstream_oauth2_config` mit Client Credentials aktualisieren
-7. 📋 `passwords: enabled: false` aktivieren
-8. 📋 Commit + Push
-
-**Blocker**: Manuelle Authentik-Konfiguration (wartet auf Benutzer)
+**None** – Alle CRITICAL Tasks erledigt! Nächster Focus: Database Backups

 ---