Compare commits

..

No commits in common. "ac3f7945788f96a5ee96ab2d2eb580b7e98ef6f7" and "e4d9fe3b4dc310331ef59e88d5312fa69d3e8754" have entirely different histories.

4 changed files with 11 additions and 55 deletions

View file

@ -1,20 +1,14 @@
{ {lib, ...}: {
lib,
config,
...
}: {
sops.secrets.smtp2go-pwd = {owner = "forgejo";};
networking.firewall.allowedTCPPorts = [2222]; networking.firewall.allowedTCPPorts = [2222];
services.forgejo = { services.forgejo = {
enable = true; enable = true;
stateDir = "/var/lib/forgejo"; stateDir = "/var/lib/forgejo";
settings = { settings = {
service.DISABLE_REGISTRATION = false; service.DISABLE_REGISTRATION = true;
DEFAULT.APP_NAME = "forgejo"; DEFAULT.APP_NAME = "forgejo";
log.LEVEL = "Debug"; log.LEVEL = "Debug";
ui = { ui = {
DEFAULT_THEME = "forgejo-dark"; DEFAULT_THEME = "forgejo-dark";
SHOW_USER_EMAIL = true;
}; };
actions = { actions = {
ENABLED = true; ENABLED = true;
@ -31,9 +25,6 @@
SSH_LISTEN_PORT = 2222; SSH_LISTEN_PORT = 2222;
SSH_LISTEN_HOST = "100.121.201.47"; SSH_LISTEN_HOST = "100.121.201.47";
}; };
session = {
COOKIE_SECURE = true;
};
database = { database = {
DB_TYPE = lib.mkForce "postgres"; DB_TYPE = lib.mkForce "postgres";
HOST = "192.168.1.211:5432"; HOST = "192.168.1.211:5432";
@ -51,32 +42,6 @@
ENABLED_ISSUE_BY_REPOSITORY = true; ENABLED_ISSUE_BY_REPOSITORY = true;
ENABLED_ISSUE_BY_LABEL = true; ENABLED_ISSUE_BY_LABEL = true;
}; };
mailer = {
ENABLED = true;
FROM = "forgejo@flake.sh";
PROTOCOL = "smtp+starttls";
SMTP_ADDR = "mail.smtp2go.com";
SMTP_PORT = 587;
USER = "forgejo-mailer";
};
}; };
mailerPasswordFile = config.sops.secrets.smtp2go-pwd.path;
};
services.fail2ban.jails.forgejo = {
settings = {
filter = "forgejo";
action = ''iptables-allports'';
mode = "aggressive";
maxretry = 3;
findtime = 3600;
bantime = 900;
};
};
environment.etc = {
"fail2ban/filter.d/forgejo.conf".text = ''
[Definition]
failregex = ^.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>$
journalmatch = _SYSTEMD_UNIT=forgejo.service
'';
}; };
} }

View file

@ -135,15 +135,12 @@
}; };
}; };
services = { services = {
forgejo.loadBalancer = {
passHostHeader = true;
servers = [{url = "http://100.121.201.47:3200";}];
};
uptime-kuma.loadBalancer.servers = [{url = "http://100.104.42.96:4000";}]; uptime-kuma.loadBalancer.servers = [{url = "http://100.104.42.96:4000";}];
gotify.loadBalancer.servers = [{url = "http://100.104.42.96:3000";}]; gotify.loadBalancer.servers = [{url = "http://100.104.42.96:3000";}];
conduit.loadBalancer.servers = [{url = "http://100.121.201.47:6167";}]; conduit.loadBalancer.servers = [{url = "http://100.121.201.47:6167";}];
authelia.loadBalancer.servers = [{url = "http://100.121.201.47:9091";}]; authelia.loadBalancer.servers = [{url = "http://100.121.201.47:9091";}];
foundryvtt.loadBalancer.servers = [{url = "http://100.121.201.47:30000";}]; foundryvtt.loadBalancer.servers = [{url = "http://100.121.201.47:30000";}];
forgejo.loadBalancer.servers = [{url = "http://100.121.201.47:3200";}];
rustypaste.loadBalancer.servers = [{url = "http://100.121.201.47:8000";}]; rustypaste.loadBalancer.servers = [{url = "http://100.121.201.47:8000";}];
grafana.loadBalancer.servers = [{url = "http://100.121.201.47:3100";}]; grafana.loadBalancer.servers = [{url = "http://100.121.201.47:3100";}];
hedgedoc.loadBalancer.servers = [{url = "http://100.121.201.47:3300";}]; hedgedoc.loadBalancer.servers = [{url = "http://100.121.201.47:3300";}];

View file

@ -40,16 +40,13 @@
"net.ipv4.tcp_congestion_control" = "bbr"; "net.ipv4.tcp_congestion_control" = "bbr";
"net.core.default_qdisc" = "cake"; "net.core.default_qdisc" = "cake";
}; };
boot.kernelModules = ["tcp_bbr"]; boot.kernelModules = ["tcp_bbr"];
services.openssh.settings.LogLevel = "VERBOSE"; # So we don't have to do this later...
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
defaults.email = "github@notohh.dev"; defaults.email = "github@notohh.dev";
}; };
services.fail2ban = { services.fail2ban = {
enable = true; enable = true;
bantime = "1h"; bantime = "1h";
@ -58,16 +55,14 @@
"192.168.0.0/16" "192.168.0.0/16"
"172.16.0.0/12" "172.16.0.0/12"
"10.0.0.0/8" "10.0.0.0/8"
"5.161.102.107/32" "5.161.181.184/32"
"100.71.49.65/10" "100.71.49.65/10"
"100.82.146.40/10" "100.82.146.40/10"
]; ];
jails = { jails.DEFAULT = {
DEFAULT = { settings = {
settings = { findtime = 100000;
findtime = 100000; mode = "aggressive";
mode = "aggressive";
};
}; };
}; };
}; };

View file

@ -12,7 +12,6 @@ snowflake-runner-token: ENC[AES256_GCM,data:CYtnZeCCd3IbNq95xCAoftYRxYf5QdZk1cw2
basegbot-runner-token: ENC[AES256_GCM,data:US3VkT2+S9sKPJ7zPNNBudV/884/cNfmEZVdmWHnL4WWdvUej5aIbQ==,iv:mEjU7DF4NCX7WwLP4+CxlV3aKZOkL7t6wyM4Mz7sPrg=,tag:JrMiiQ2TT3OET4iyO6pUog==,type:str] basegbot-runner-token: ENC[AES256_GCM,data:US3VkT2+S9sKPJ7zPNNBudV/884/cNfmEZVdmWHnL4WWdvUej5aIbQ==,iv:mEjU7DF4NCX7WwLP4+CxlV3aKZOkL7t6wyM4Mz7sPrg=,tag:JrMiiQ2TT3OET4iyO6pUog==,type:str]
searxng-secret: ENC[AES256_GCM,data:SSvspQVRp79zJq0hzaqzuJIWFtVUoaqHGH9PXUViiXb9UKJM34t82o2J5K69RcOSBL7HadqmxcT4Eh8e8ZUJnquD7rrPdWb2Ih4zS7MmG94=,iv:wrQNNU7CjzfePNe1tWEXmN30vC0jTp+PtgfI3/XH22g=,tag:QAt/QL846hLLIMLQZUM3mQ==,type:str] searxng-secret: ENC[AES256_GCM,data:SSvspQVRp79zJq0hzaqzuJIWFtVUoaqHGH9PXUViiXb9UKJM34t82o2J5K69RcOSBL7HadqmxcT4Eh8e8ZUJnquD7rrPdWb2Ih4zS7MmG94=,iv:wrQNNU7CjzfePNe1tWEXmN30vC0jTp+PtgfI3/XH22g=,tag:QAt/QL846hLLIMLQZUM3mQ==,type:str]
neko-admin: ENC[AES256_GCM,data:E5goYrVyM2uQ1WLLHdcOzqX8gGO5EXJRqCRtaqAjrbUAeFRDU8A=,iv:Osh2SCeFYIvossZZ1NZH0xMrfhTcYAa6nssJhhmNNP0=,tag:m7shoTDw+Cya6Cg50yWaZg==,type:str] neko-admin: ENC[AES256_GCM,data:E5goYrVyM2uQ1WLLHdcOzqX8gGO5EXJRqCRtaqAjrbUAeFRDU8A=,iv:Osh2SCeFYIvossZZ1NZH0xMrfhTcYAa6nssJhhmNNP0=,tag:m7shoTDw+Cya6Cg50yWaZg==,type:str]
smtp2go-pwd: ENC[AES256_GCM,data:03OCDnG73T8B2Q3TJLt1kg==,iv:QFI34ZoM88AuGvOwVmxsplkNKWFgwqBn1AFdHNREses=,tag:9YABs0nAh7Cx2vybuIW9sA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -28,8 +27,8 @@ sops:
YWNQcURKMSs2U0pOa3E0cTdCZ3RnalkKGayA7DBUQS+kn+6OYVBc6oTunF0qeZdt YWNQcURKMSs2U0pOa3E0cTdCZ3RnalkKGayA7DBUQS+kn+6OYVBc6oTunF0qeZdt
5b9DLHgh0HRWFm09XGSOog8K315d93Wzblw1My1/dXeEQX/ryinqUQ== 5b9DLHgh0HRWFm09XGSOog8K315d93Wzblw1My1/dXeEQX/ryinqUQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-30T16:22:09Z" lastmodified: "2023-12-10T15:17:04Z"
mac: ENC[AES256_GCM,data:LV5mRsqxzOTGcmoTZRjfAw5713AbDvWWngcnmAJtCTNjWbFsnIuNwd452i0SHkHsV0czR1BemmHzHYIp+ZCUZGBYDQcBJjCMsYUdLGzNGAZeImc38C3pXK2Vu0WSIdHmECch21HEw0L8OI07v7MToCy4OS2ITm0OAXGFo0el0xI=,iv:k5/mDqkRsnyOdFjb+EPm782DEx4HdXUt3mb3tkYGp18=,tag:Flckc72wh4qM0t+OEfjDqg==,type:str] mac: ENC[AES256_GCM,data:jUsI4YvoAkEAtRVz4CUQV3pJ7W7CYwOADUVeN2C9AleqVwfTuRlhQB8lVU+hEBcPY1ntMRHUnJmO9RO2xYQjJSVvAfLODCbhtMY7/s61jQa7r2gi7btlYHCOm1Qh3S4EusfyS22J2p39lF82GAyl6KHeXOmAFnGhpg8+PfKBL3I=,iv:oasWdhlkWuuU/LNrIHdgGTH5JuWqcuLjbDu9ohyRPAQ=,tag:oG6LsuuDh5D+33tR1ymY+Q==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1