0be354a920
Single-commit clean baseline after security scrub of niche-tells, project codenames, internal jargon, and contributor-email leaks. Contents: - 100 Rust crates (_primitives/_rust/) - 37 agent manifests (_manifests/) + generated specs (_generated/) - 67 user-invocable skills (skills/) - 33 hooks (hooks/) - Composition blocks (_blocks/) - Documentation (docs/, README.md) - TS adapter packages (_ts_packages/) - Assembler (_assembler/) - Roles (_roles/) - Templates (_templates/) - Forgejo CI (.forgejo/) Author: Denis Parfionovich <info@greendragon.info> License: see LICENSE.
3.3 KiB
SECURITY — Patching (unattended-upgrades + needrestart + reboot window)
Goal: security patches applied within 24 h of release, service restarts + kernel reboots happen within a declared maintenance window (NOT ad-hoc at 3 AM UTC on a random Tuesday).
Install:
sudo apt install -y unattended-upgrades needrestart
/etc/apt/apt.conf.d/50unattended-upgrades (essential lines, Debian 12 / Ubuntu 22.04+):
Unattended-Upgrade::Origins-Pattern {
"origin=Debian,codename=${distro_codename}-security";
"origin=Debian,codename=${distro_codename}-updates";
};
Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::Automatic-Reboot-Time "04:00";
Unattended-Upgrade::Mail "admin@example.com";
Unattended-Upgrade::MailReport "on-change";
Automatic-Reboot "false" is the SAFE default — an automatic reboot without coordination kills in-flight requests. Pair with needrestart to SURFACE reboot requirement, then schedule the window explicitly (below).
/etc/apt/apt.conf.d/20auto-upgrades:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";
Triggers daily via /lib/systemd/system/apt-daily.timer + apt-daily-upgrade.timer.
needrestart: after each upgrade, prints services that loaded old library versions and need restart. /etc/needrestart/needrestart.conf:
$nrconf{restart} = 'l'; # list only; do NOT auto-restart services
$nrconf{kernelhints} = -1; # suppress "reboot hint" interactive prompt (non-TTY cron)
nrconf{restart} = 'a' (auto) is tempting but dangerous — restarting postgresql or a stateful app during a migration = corruption.
Reboot window pattern (declared, env-var-driven):
# /etc/systemd/system/kei-reboot-window.service + .timer
# Only reboots if /var/run/reboot-required exists AND the current time
# falls inside the declared window.
[Service]
Type=oneshot
EnvironmentFile=/etc/default/kei-reboot-window
ExecStart=/usr/local/bin/kei-reboot-window
# /etc/default/kei-reboot-window
KEI_REBOOT_DOW="Sun" # day-of-week
KEI_REBOOT_HOUR="04" # 24h, UTC
KEI_REBOOT_MIN="15"
KEI_DRAIN_CMD="" # optional pre-reboot drain (e.g. drain a load-balancer slot)
kei-reboot-window script checks [ -f /var/run/reboot-required ], verifies it is the declared DOW/hour, runs $KEI_DRAIN_CMD, then systemctl reboot. Commit the script once; reuse the env file per-host.
Provider-specific:
- Hetzner Cloud / Vultr / UpCloud / DigitalOcean / Linode — nothing extra; cloud-init already installs the packages per
deploy-vps-generic.md. - AWS EC2 —
ec2-instance-connectmay briefly reject SSH during a reboot — tolerate in orchestration retries.
Auditability: unattended-upgrades logs to /var/log/unattended-upgrades/unattended-upgrades.log. Forward via journald (see security-audit-logging.md). Package a short summary in the skill Phase 5 report.
Forbidden: Unattended-Upgrade::Automatic-Reboot "true" on stateful services; $nrconf{restart} = 'a' on a database host; silently skipping the reboot window to "avoid downtime" (real fix: HA, not skipped patches); installing .deb packages from third-party repos without pinning + signature verification; disabling the apt-daily.timer — disables ALL security updates.