jd/rosbackup-packagemini
1
0
Fork 0
Code Issues Pull requests Projects Releases 6 Packages Wiki Activity Actions
6 releases 7 tags
  • v0.2.0 4f1ebf4797

    v0.2.0
    Some checks failed
    release / release (push) Failing after 27s
    Details
    Stable

    Ghost released this 2026-06-20 11:13:27 +00:00 | 28 commits to main since this release

    A large hardening, operability, and polish cycle: the mirror now runs rootless and
    self-hardens the host, the deploy.sh status/management UX was rebuilt, and the repo
    was reorganised into src/ + config/ + doc/.

    Added

    • System hardening (deploy.sh harden, also during install; opt out with --no-harden):
      guarded key-only SSH, fail2ban, hourly automatic security updates with auto-reboot,
      Docker-safe sysctl tuning, firewall least-privilege, and enforced filesystem permissions.
      Interactive enable/disable/re-apply per measure. Documented in doc/SYSTEM-HARDENING.md.
    • Web-tier abuse protection: fail2ban caddy-flood jail (firewall-bans HTTP 429 floods from
      the access log) + recidive jail; an optional SSH never-ban whitelist (PM_SSH_WHITELIST).
    • Security response headers (web.security_headers): nosniff, X-Frame-Options: DENY,
      Referrer-Policy, Server banner removed, and HSTS on HTTPS.
    • Management subcommands: status, start/stop/restart/down, logs, refresh,
      harden, set-fqdn, set-mirror-auth, set-mirror-creds, set-goaccess-creds,
      open-goaccess, and clear-config [data] (uninstall/reconfigure).
    • Status dashboard: boxed, colour-coded sections (System, Security, Services, Mirror,
      Mirror config, Content, Sync) with live sync progress, "last sweep X ago", blocked-IP count,
      effective rate limit, the outbound User-Agent, and the running version + commit ref.
    • Operator identity (operator.{name,email}): shown in the page footer and sent in the
      outbound User-Agent so MikroTik can contact whoever runs the mirror.
    • Timezone support (TZ): release/modified dates render in the operator's timezone in
      RFC 5322 format; deploy.sh prompts for and sets the host timezone.
    • Configurable TLS renewal window (web.tls.renewal_window_ratio).
    • config/env.example reference; repository-layout and disk-sizing docs in the README.

    Changed

    • Repository layout: deploy.sh, sync/, web/, monitor/ moved under src/;
      example config under config/; docs under doc/. Compose build contexts updated.
    • Containers run rootless (uid:gid 1000, no-new-privileges); Caddy keeps
      NET_BIND_SERVICE to bind 80/443. Host-bound data is owned by 1000:1000.
    • Rate limiting now defaults to all routes at 600 r/m (was feed-only at 60 r/m); tunable.
    • Download phase runs with parallel workers (default 2); release dates parsed from CHANGELOG.
    • Footer year is dynamic; redundant author link removed in favour of the repo link + version.

    Fixed

    • Completed architectures now skip all fetches/probes on later sweeps — no more per-sweep
      CDN hammering for files MikroTik doesn't offer (steady-state sweep dropped from minutes to seconds).
    • In-progress versions/architectures and *.part files are hidden until fully mirrored.
    • fail2ban requires the firewalld backend to actually enforce bans (ordered first, warned otherwise);
      re-applying an already-enabled measure now refreshes its config.
    • Real-time GoAccess board WebSocket fixed end-to-end (path, protocol, public port).

    Security

    • See Added — host hardening, rootless containers, web-tier abuse protection, and security
      headers are the headline of this release. See doc/SYSTEM-HARDENING.md.
    Downloads