- Pin Miniflux to 2.2.19, Gitea to 1.25 (from :latest)
- Add security headers (X-Content-Type-Options, X-Frame-Options,
Referrer-Policy, Permissions-Policy) to all Caddy sites
- Add Docker JSON log rotation (10m x 3 files) to all containers
- Add SHA256 checksum verification for GoatCounter binary download
- Install and configure unattended-upgrades for security patches
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Disable password auth, restrict root login, limit auth retries.
Add fail2ban with SSH jail (3 retries, 1hr ban). Remove setup.sh
which predated Ansible and was no longer used.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Docker Compose stack (Gitea + Postgres) on port 3000, SSH on 2222,
reverse-proxied via Caddy at git.monotrope.au.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add self-hosted GoatCounter via systemd binary service (stats.monotrope.au)
- Add Miniflux RSS reader via Docker Compose (reader.monotrope.au)
- Extend Ansible playbook with goatcounter and miniflux tags; all provisioning is idempotent
- Add Caddy reverse proxy blocks for both new services
- Inject GoatCounter script in baseof.html (production builds only)
- Add goatcounter and miniflux Makefile targets
- Rewrite CLAUDE.md to reflect actual project state
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
