diff --git a/docs/core/tasks.md b/docs/core/tasks.md index ac7a7a9..ae615a3 100644 --- a/docs/core/tasks.md +++ b/docs/core/tasks.md @@ -1,7 +1,7 @@ # 🔥❄️ FIREFROST GAMING — CURRENT TASKS -**Last Updated:** February 13, 2026 (Late Night CST) -**Updated By:** The Engineer (Chronicler the Fifth) +**Last Updated:** February 13, 2026 (Late Evening CST) +**Updated By:** The Sixth (Chronicler the Sixth) **Status:** Active --- @@ -35,20 +35,6 @@ --- -### Vaultwarden Deployment -**Status:** Ready to deploy -**Domain:** vault.firefrostgaming.com -**Location:** Command Center VPS -**Priority:** HIGH (API token currently in temp file in repo) - -**Why Now:** -- Gitea API token needs secure storage (currently in `docs/core/gitea-api-token-TEMPORARY.md`) -- Growing number of service credentials -- Team password management for staff -- Accessibility-friendly web UI - -**After deployment:** Move token to Vaultwarden, delete temp file from repo. - --- ### Mailcow Email Server — Self-Hosted Email @@ -113,6 +99,34 @@ ## 🟡 MEDIUM PRIORITY +### Command Center Security Hardening +**Status:** New — identified Feb 13, 2026 +**Priority:** MEDIUM (UFW active, but can be improved) +**Scope:** Command Center VPS (63.143.34.217) + +**Current State:** +- ✅ UFW enabled with default deny incoming +- ✅ Ports 22, 80, 443 open on primary IP +- ❌ Fail2Ban not installed +- ❌ SSH not hardened (still allows password auth) +- ❌ No rate limiting on SSH + +**Tasks:** +1. Install and configure Fail2Ban (auto-ban brute force attempts) +2. SSH hardening: + - Disable password authentication (key-only) + - Consider non-standard SSH port + - Rate limit connection attempts +3. Review UFW rules (ensure minimal necessary access) +4. Document security configuration in repo + +**Why Medium Priority:** +- Breezehost provides network-level DDoS protection +- UFW already active with sensible defaults +- No active threats, but defense-in-depth is good practice + +--- + ### MkDocs Decommission **Status:** New — decision made Feb 13, 2026 **Reason:** Ghost CMS handles public-facing content. Subscriber Wiki handles gated content. MkDocs serves no distinct purpose in the new three-tier model (Ghost → Subscriber Wiki → Staff Wiki). @@ -317,6 +331,19 @@ Each server gets: name, uuid, node, tier, enabled flag ## ✅ RECENTLY COMPLETED +### Feb 13, 2026 (Late Evening — Vaultwarden Deployment) +- ✅ Docker installed on Command Center (docker.io + docker-compose) +- ✅ Vaultwarden deployed via Docker (vault.firefrostgaming.com) +- ✅ SSL certificate obtained via Certbot (Let's Encrypt) +- ✅ Nginx reverse proxy configured with HTTPS +- ✅ UFW rules added for ports 80/443 on primary IP +- ✅ DNS configured (A record, DNS-only/gray cloud) +- ✅ Admin account created, public signups disabled +- ✅ Gitea API token migrated to Vaultwarden vault +- ✅ Temporary token file deleted from Git repo +- ✅ Bitwarden browser extension installed and configured +- ✅ SESSION-START-PROMPT.md updated to reference Vaultwarden + ### Feb 13, 2026 (Evening) - ✅ Gemini social media calendar reviewed — confirmed in sync with repo - ✅ Empty heading artifacts cleaned from gemini-social-media-calendar.md @@ -389,3 +416,4 @@ Each server gets: name, uuid, node, tier, enabled flag --- **Fire + Frost + Foundation = Where Love Builds Legacy** 💙🔥❄️ +