Harden quarantine provisioning; enforce strict permissions and update Ansible and docs

config/upload-logger.prod.json

@@ -0,0 +1,43 @@
+{
+  "modules": {
+    "flood": true,
+    "mime_sniff": true,
+    "base64_detection": true,
+    "quarantine": true,
+    "archive_inspect": true
+  },
+  "paths": {
+    "quarantine_dir": "/var/lib/upload-logger/quarantine",
+    "state_dir": "/var/lib/upload-logger/state",
+    "allowlist_file": "/etc/upload-logger/allowlist.json"
+  },
+  "limits": {
+    "max_size": 52428800,
+    "raw_body_min": 512000,
+    "sniff_max_bytes": 8192,
+    "sniff_max_filesize": 2097152,
+    "hash_max_filesize": 10485760,
+    "flood_max_uploads": 40,
+    "archive_max_entries": 200,
+    "archive_max_inspect_size": 52428800
+  },
+  "ops": {
+    "block_suspicious": false,
+    "quarantine_enabled": true,
+    "archive_block_on_suspicious": false,
+    "log_user_agent": true,
+    "trusted_proxy_ips": ["127.0.0.1", "::1"]
+  },
+  "allowlists": {
+    "base64_uris": [],
+    "ctypes": []
+  },
+  "detectors": {
+    "content": {
+      "sniff_max_bytes": 8192,
+      "sniff_max_filesize": 2097152,
+      "allow_xml_eval": false,
+      "custom_patterns": []
+    }
+  }
+}