fix: remove ssh hardning

Author: davidgaribay-dev

.github/workflows/docker-rewind.yml

@@ -12,11 +12,6 @@ on:
     paths:
       - 'rewind/**'
   workflow_dispatch:
-    inputs:
-      api_url:
-        description: 'API URL for web build'
-        required: false
-        default: 'https://10.0.70.70:8443'
 
 env:
   REGISTRY: ghcr.io
@@ -109,7 +104,5 @@ jobs:
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          build-args: |
-            VITE_API_URL=${{ github.event.inputs.api_url || 'https://10.0.70.70:8443' }}
           cache-from: type=gha,scope=rewind-web
           cache-to: type=gha,scope=rewind-web,mode=max

infra/claude-vms/configuration/group_vars/all.yml

@@ -23,65 +23,6 @@ os_security_kernel_module_loading: true
 os_auth_pw_max_age: 99999
 os_auth_pw_min_age: 0
 
-# SSH Hardening Configuration (devsec.hardening.ssh_hardening)
-
-# SSH authentication
-ssh_permit_root_login: "no"
-ssh_allow_users: "{{ dev_user }}"
-ssh_allow_agent_forwarding: true
-ssh_allow_tcp_forwarding: true
-
-# Key-based auth only
-ssh_server_password_login: false
-ssh_challengeresponseauthentication: false
-
-# Modern crypto settings for Ubuntu 24.04 / OpenSSH 9.x
-# Note: role uses ssh_kex, NOT ssh_kex_algorithms
-ssh_kex:
-  - sntrup761x25519-sha512@openssh.com
-  - curve25519-sha256
-  - curve25519-sha256@libssh.org
-  - diffie-hellman-group18-sha512
-  - diffie-hellman-group16-sha512
-
-ssh_ciphers:
-  - chacha20-poly1305@openssh.com
-  - aes256-gcm@openssh.com
-  - aes128-gcm@openssh.com
-  - aes256-ctr
-  - aes192-ctr
-  - aes128-ctr
-
-ssh_macs:
-  - hmac-sha2-512-etm@openssh.com
-  - hmac-sha2-256-etm@openssh.com
-  - umac-128-etm@openssh.com
-
-# Host key algorithms for Ubuntu 24.04
-ssh_host_key_algorithms:
-  - ssh-ed25519
-  - rsa-sha2-512
-  - rsa-sha2-256
-
-# Client alive settings
-ssh_client_alive_interval: 300
-ssh_client_alive_count: 3
-
-# Ubuntu 24.04 / OpenSSH 9.x compatibility settings
-ssh_use_pam: true                          # Required for proper auth on Ubuntu
-sftp_enabled: true                         # Enable SFTP (Ansible uses it by default)
-ssh_print_pam_motd: false                  # Disable duplicate MOTD
-ssh_print_last_log: true                   # Show last login info
-
-# Don't regenerate host keys (can cause issues on Ubuntu 24.04)
-ssh_server_hardening: true
-sshd_moduli_minimum: 3072
-
-# Disable the role's restart handler - we handle SSH reload manually in post_tasks
-# after validating the config. This prevents the handler failure on Ubuntu 24.04.
-# See: https://github.com/dev-sec/ansible-collection-hardening/issues/854
-ssh_server_enabled: false
-
 # Development Environment Settings
 
 # User for development (can be overridden via -e cloud_init_user=xxx)
@@ -152,5 +93,7 @@ plane_workspace_slug: "{{ lookup('env', 'PLANE_WORKSPACE_SLUG') | default('', tr
 plane_api_key: "{{ lookup('env', 'PLANE_API_KEY') | default('', true) }}"
 
 # Rewind Configuration
-rewind_api_port: 8443  # External HTTPS port (Caddy)
-rewind_api_url: "https://{{ core_services_ip }}:{{ rewind_api_port }}"
+# Use the web external port (8444) which proxies /api to the API container
+# This avoids cross-origin issues with self-signed certs on separate ports
+rewind_web_port: 8444  # External HTTPS port for web (Caddy) - also serves /api
+rewind_api_url: "https://{{ core_services_ip }}:{{ rewind_web_port }}"

infra/claude-vms/configuration/playbook.yml

@@ -35,67 +35,6 @@
         name: rsyslog
         state: present
 
-    - name: Ensure /run/sshd exists (required for ssh_hardening on Ubuntu 24.04)
-      ansible.builtin.file:
-        path: /run/sshd
-        state: directory
-        mode: '0755'
-        owner: root
-        group: root
-
-    # Ensure OpenSSH is updated before hardening (fixes socket-activation issues)
-    # Minimum recommended version: 1:9.6p1-3ubuntu13.8
-    # See: https://github.com/dev-sec/ansible-collection-hardening/issues/854
-    - name: Update OpenSSH to latest version
-      ansible.builtin.apt:
-        name:
-          - openssh-server
-          - openssh-client
-        state: latest
-
-    # Ubuntu 24.04 uses socket activation by default which conflicts with ssh_hardening
-    # See: https://github.com/dev-sec/ansible-collection-hardening/issues/854
-    # See: https://discourse.ubuntu.com/t/sshd-now-uses-socket-based-activation-ubuntu-22-10-and-later/30189
-    #
-    # Best practice approach from DevSec hardening:
-    # 1. Remove all socket-related config files
-    # 2. Stop, disable, and MASK ssh.socket (mask prevents any re-activation)
-    # 3. Reload systemd
-    # 4. Enable and start ssh.service
-
-    - name: Remove socket activation configuration files
-      ansible.builtin.file:
-        path: "{{ item }}"
-        state: absent
-      loop:
-        - /etc/systemd/system/ssh.service.d/00-socket.conf
-        - /etc/systemd/system/ssh.socket.d/addresses.conf
-        - /etc/systemd/system/ssh.service.requires/ssh.socket
-        - /etc/systemd/system/sockets.target.wants/ssh.socket
-
-    - name: Stop, disable and mask ssh.socket
-      ansible.builtin.systemd:
-        name: ssh.socket
-        state: stopped
-        enabled: false
-        masked: true
-      register: ssh_socket_result
-      failed_when: false
-
-    - name: Log ssh.socket status if unexpected
-      ansible.builtin.debug:
-        msg: "Note: ssh.socket operation returned: {{ ssh_socket_result.msg | default('OK') }}"
-      when: ssh_socket_result is failed
-
-    - name: Reload systemd daemon after socket config removal
-      ansible.builtin.systemd:
-        daemon_reload: true
-
-    - name: Enable and start traditional SSH service
-      ansible.builtin.systemd:
-        name: ssh.service
-        enabled: true
-        state: started
 
   roles:
     # OS-level hardening (file permissions, kernel params, etc.)
@@ -612,140 +551,3 @@
     # Claude Code will auto-enable plugins when it starts
 
 
-# SSH hardening runs LAST to avoid connection issues blocking other tasks
-- name: Apply SSH hardening (final step)
-  hosts: all
-  become: true
-  gather_facts: false
-  tags: [hardening]
-
-  pre_tasks:
-    - name: Ensure /run/sshd still exists
-      ansible.builtin.file:
-        path: /run/sshd
-        state: directory
-        mode: '0755'
-        owner: root
-        group: root
-
-    # Verify socket activation is still disabled before ssh_hardening runs
-    - name: Verify ssh.socket is stopped, disabled and masked
-      ansible.builtin.systemd:
-        name: ssh.socket
-        state: stopped
-        enabled: false
-        masked: true
-      register: ssh_socket_verify_result
-      failed_when: false
-
-    - name: Log ssh.socket verification status if unexpected
-      ansible.builtin.debug:
-        msg: "Note: ssh.socket verification returned: {{ ssh_socket_verify_result.msg | default('OK') }}"
-      when: ssh_socket_verify_result is failed
-
-    # Remove any remaining socket activation config that may have been recreated
-    - name: Remove socket activation configuration files (second pass)
-      ansible.builtin.file:
-        path: "{{ item }}"
-        state: absent
-      loop:
-        - /etc/systemd/system/ssh.service.d/00-socket.conf
-        - /etc/systemd/system/ssh.socket.d/addresses.conf
-        - /etc/systemd/system/ssh.service.requires/ssh.socket
-
-    - name: Reload systemd daemon
-      ansible.builtin.systemd:
-        daemon_reload: true
-
-    # Check what's holding port 22 for debugging
-    - name: Check what process is using port 22
-      ansible.builtin.shell: ss -tlnp | grep ':22' || true
-      register: port_22_check
-      changed_when: false
-
-    - name: Display port 22 usage
-      ansible.builtin.debug:
-        msg: "Port 22 status: {{ port_22_check.stdout | default('Port 22 is free') }}"
-
-    # Test sshd config before attempting to start
-    - name: Test sshd configuration validity before starting
-      ansible.builtin.command: sshd -t
-      register: sshd_pretest
-      ignore_errors: true
-      changed_when: false
-
-    - name: Display sshd config error if test failed
-      ansible.builtin.debug:
-        msg: "sshd -t failed: {{ sshd_pretest.stderr }}"
-      when: sshd_pretest.rc != 0
-
-    - name: Fail if sshd config is invalid
-      ansible.builtin.fail:
-        msg: "sshd configuration is invalid. Check /etc/ssh/sshd_config. Error: {{ sshd_pretest.stderr }}"
-      when: sshd_pretest.rc != 0
-
-    # Check if sshd is already running - if so, we don't need to start it
-    - name: Check if sshd is already running
-      ansible.builtin.shell: pgrep -x sshd > /dev/null && echo "running" || echo "stopped"
-      register: sshd_running
-      changed_when: false
-
-    - name: Display sshd status
-      ansible.builtin.debug:
-        msg: "sshd is {{ sshd_running.stdout }}"
-
-    # Only try to start if not already running
-    - name: Start ssh.service if not running
-      ansible.builtin.systemd:
-        name: ssh.service
-        state: started
-        enabled: true
-      when: sshd_running.stdout == "stopped"
-
-  roles:
-    - role: devsec.hardening.ssh_hardening
-
-  post_tasks:
-    # Test sshd config before attempting reload
-    - name: Test sshd configuration validity
-      ansible.builtin.command: sshd -t
-      register: sshd_test
-      ignore_errors: true
-      changed_when: false
-
-    - name: Show sshd config test result
-      ansible.builtin.debug:
-        msg: "sshd -t output: {{ sshd_test.stderr | default('OK') }}"
-      when: sshd_test.rc != 0
-
-    - name: Show generated sshd_config if test failed
-      ansible.builtin.command: cat /etc/ssh/sshd_config
-      register: sshd_config_content
-      when: sshd_test.rc != 0
-      changed_when: false
-
-    - name: Display sshd_config content
-      ansible.builtin.debug:
-        msg: "{{ sshd_config_content.stdout_lines }}"
-      when: sshd_test.rc != 0 and sshd_config_content is defined
-
-    # Manually reload SSH since we disabled ssh_server_enabled to skip the role's handler
-    # Try reload first, fall back to restart if reload fails (Ubuntu 24.04 quirk)
-    - name: Reload SSH service to apply hardening config
-      ansible.builtin.systemd:
-        name: ssh
-        state: reloaded
-      when: sshd_test.rc == 0
-      register: ssh_reload_result
-      failed_when: false
-
-    - name: Restart SSH service if reload failed
-      ansible.builtin.systemd:
-        name: ssh
-        state: restarted
-      when: sshd_test.rc == 0 and ssh_reload_result is defined and ssh_reload_result.failed | default(false)
-
-    - name: Fail if sshd config is invalid
-      ansible.builtin.fail:
-        msg: "sshd configuration is invalid - SSH NOT reloaded. Fix config and retry."
-      when: sshd_test.rc != 0

infra/core-services/configuration/files/Caddyfile.j2

@@ -37,6 +37,17 @@
 {% if rewind_enabled | default(true) %}
 # Rewind API - external HTTPS port {{ rewind_api_external_port }} proxies to internal port {{ rewind_api_port }}
 {{ core_services_ip }}:{{ rewind_api_external_port }} {
+    # Handle CORS preflight requests
+    @cors_preflight method OPTIONS
+    handle @cors_preflight {
+        header Access-Control-Allow-Origin "{header.Origin}"
+        header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
+        header Access-Control-Allow-Headers "Content-Type, Authorization"
+        header Access-Control-Allow-Credentials "true"
+        header Access-Control-Max-Age "86400"
+        respond "" 204
+    }
+
     reverse_proxy localhost:{{ rewind_api_port }}
 
     encode gzip zstd
@@ -49,9 +60,10 @@
     header {
         Strict-Transport-Security "max-age=31536000; includeSubDomains"
         X-Content-Type-Options "nosniff"
-        Access-Control-Allow-Origin "*"
-        Access-Control-Allow-Methods "GET, POST, OPTIONS"
+        Access-Control-Allow-Origin "{header.Origin}"
+        Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
         Access-Control-Allow-Headers "Content-Type, Authorization"
+        Access-Control-Allow-Credentials "true"
     }
 
     tls internal

marketplace

@@ -8,7 +8,8 @@ FROM base AS builder
 WORKDIR /app
 
 # Accept build arguments
-ARG VITE_API_URL=http://localhost:8429
+# Default to empty string - nginx proxies /api to the API container
+ARG VITE_API_URL=
 
 # Copy workspace files
 COPY package.json pnpm-workspace.yaml pnpm-lock.yaml ./

rewind/packages/web/Dockerfile

@@ -1,6 +1,9 @@
 import type { Project, Conversation } from './types';
 
-const API_URL = import.meta.env.VITE_API_URL || 'http://localhost:8429';
+// Use relative URL by default - nginx proxies /api to the API container
+// This eliminates cross-origin issues in production
+// VITE_API_URL can override for development or external API access
+const API_URL = import.meta.env.VITE_API_URL || '';
 
 async function handleResponse<T>(response: Response, errorMessage: string): Promise<T> {
   if (!response.ok) {

rewind/packages/web/app/lib/api-client.ts

@@ -10,6 +10,17 @@ server {
     gzip_min_length 1000;
     gzip_types text/plain text/css text/xml text/javascript application/javascript application/json;
 
+    # API proxy - forward /api requests to the API container
+    # This eliminates cross-origin issues when web and API are on different ports
+    location /api/ {
+        proxy_pass http://api:8429/api/;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
     # SPA routing - serve index.html for all routes
     location / {
         try_files $uri $uri/ /index.html;