Production-grade single-VPS hardening roadmap.
Statusas
| Fazė | Elementai | Statusas |
|---|
| P0 — Kritinis | Restore drill, alerting, swap | ✅ 4/5 |
| P1 — Observability | Prometheus, Grafana, Loki, uptime, status page | ✅ 2/5 |
| P1 — Security v2 | CrowdSec, CF Access, Lynis, auditd | ✅ 3/5 |
| P2 — DevOps | Ansible, CI drift, SOPS, Renovate | ✅ 2/4 |
| P2 — Performance | CF Tunnel, MariaDB/Redis/nginx tuning | ✅ 4/4 |
Atlikta ✅
- P0.1 Restic restore drill (monthly timer)
- P0.3 Alerting kanalas (ntfy.sh + systemd hooks + fail2ban)
- P0.4 Swap 4 GB
- P1.4 External uptime monitor (CF Worker cron)
- P1.5 Status page (
status.play.army)
- P1.6 CrowdSec IDS (agent, 6 kolekcijos)
- P1.7 CF Access Zero Trust (
panel.play.army)
- P1.8 Lynis audit (score 83/100, weekly timer)
- P2.1 Ansible playbook (13 rolių, syntax pass)
- P2.2 CI drift detection (GitHub Actions, weekly)
- P2.5 CF Tunnel (origin invisible)
- P2.6 MariaDB tuning
- P2.7 Redis tuning
- P2.8 nginx tuning
Liko 🔲
| # | Darbas | Pastaba |
|---|
| P0.2 | 2FA Pterodactyl | TOTP admin paskyroms |
| P0.5 | API token regen | Hostinger token buvo terminal istorijoj |
| P1.1 | Prometheus + node_exporter | Docker compose, 15s scrape |
| P1.2 | Grafana dashboardai | CF Zero Trust protected |
| P1.3 | Loki + Promtail | Log agregacija |
| P1.9 | AIDE file integrity | Papildys esamą auditd |
| P1.10 | Wings auto-update tracking | Weekly release check |
| P2.3 | SOPS secrets | age encrypted, portable |
| P2.4 | Renovate | Docker/package CVE tracking |
| P2.5 | Certbot DNS-01 + UFW cleanup | Uždaryti 80/443, tunnel pakanka |
Ateities idėjos (P3)
- Multi-region failover (CF Load Balancing)
- WireGuard admin VPN
- Game server fleet (Minecraft, CS2, Rust)
- Discord bot (
!status, !players, !restart)
- play.army brand site (Astro + CF Pages)