notohh/snowflake
notohh/snowflake
1
0
Fork 0
Code Issues Pull requests Projects 1 Releases Packages Wiki Activity

Compare commits

base: notohh:e4d9fe3b4dc310331ef59e88d5312fa69d3e8754
Branches Tags
notohh:master
...
compare: notohh:ac3f7945788f96a5ee96ab2d2eb580b7e98ef6f7
Branches Tags
notohh:master

5 commits
e4d9fe3b4d ... ac3f794578

Author SHA1 Message Date
notohh
ac3f794578
forgejo: add fail2ban jail
All checks were successful
flake check / check (push) Successful in 8m4s
fmt check / check (push) Successful in 1m6s
 2023-12-30 13:38:40 -05:00
notohh
e320317d27
traefik: pass forgejo hostheader 2023-12-30 13:38:19 -05:00
notohh
2e69421f10
security: update f2b 2023-12-30 13:33:47 -05:00
notohh
5155280203
forgejo: init mailer 2023-12-30 11:58:26 -05:00
notohh
8070852806
sops: add smtp-pwd 2023-12-30 11:57:56 -05:00
4 changed files with 55 additions and 11 deletions
Show stats Expand all files Collapse all files

39
hosts/sakura/services/forgejo.nix
View file

@ -1,14 +1,20 @@
{lib, ...}: { {
lib,
config,
...
}: {
sops.secrets.smtp2go-pwd = {owner = "forgejo";};
networking.firewall.allowedTCPPorts = [2222]; networking.firewall.allowedTCPPorts = [2222];
services.forgejo = { services.forgejo = {
enable = true; enable = true;
stateDir = "/var/lib/forgejo"; stateDir = "/var/lib/forgejo";
settings = { settings = {
service.DISABLE_REGISTRATION = true; service.DISABLE_REGISTRATION = false;
DEFAULT.APP_NAME = "forgejo"; DEFAULT.APP_NAME = "forgejo";
log.LEVEL = "Debug"; log.LEVEL = "Debug";
ui = { ui = {
DEFAULT_THEME = "forgejo-dark"; DEFAULT_THEME = "forgejo-dark";
SHOW_USER_EMAIL = true;
}; };
actions = { actions = {
ENABLED = true; ENABLED = true;
@ -25,6 +31,9 @@
SSH_LISTEN_PORT = 2222; SSH_LISTEN_PORT = 2222;
SSH_LISTEN_HOST = "100.121.201.47"; SSH_LISTEN_HOST = "100.121.201.47";
}; };
session = {
COOKIE_SECURE = true;
};
database = { database = {
DB_TYPE = lib.mkForce "postgres"; DB_TYPE = lib.mkForce "postgres";
HOST = "192.168.1.211:5432"; HOST = "192.168.1.211:5432";
@ -42,6 +51,32 @@
ENABLED_ISSUE_BY_REPOSITORY = true; ENABLED_ISSUE_BY_REPOSITORY = true;
ENABLED_ISSUE_BY_LABEL = true; ENABLED_ISSUE_BY_LABEL = true;
}; };
mailer = {
ENABLED = true;
FROM = "forgejo@flake.sh";
PROTOCOL = "smtp+starttls";
SMTP_ADDR = "mail.smtp2go.com";
SMTP_PORT = 587;
USER = "forgejo-mailer";
};
};
mailerPasswordFile = config.sops.secrets.smtp2go-pwd.path;
};
services.fail2ban.jails.forgejo = {
settings = {
filter = "forgejo";
action = ''iptables-allports'';
mode = "aggressive";
maxretry = 3;
findtime = 3600;
bantime = 900;
}; };
}; };
environment.etc = {
"fail2ban/filter.d/forgejo.conf".text = ''
[Definition]
failregex = ^.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>$
journalmatch = _SYSTEMD_UNIT=forgejo.service
'';
};
} }

5
hosts/sora/services/traefik.nix
View file

@ -135,12 +135,15 @@
}; };
}; };
services = { services = {
forgejo.loadBalancer = {
passHostHeader = true;
servers = [{url = "http://100.121.201.47:3200";}];
};
uptime-kuma.loadBalancer.servers = [{url = "http://100.104.42.96:4000";}]; uptime-kuma.loadBalancer.servers = [{url = "http://100.104.42.96:4000";}];
gotify.loadBalancer.servers = [{url = "http://100.104.42.96:3000";}]; gotify.loadBalancer.servers = [{url = "http://100.104.42.96:3000";}];
conduit.loadBalancer.servers = [{url = "http://100.121.201.47:6167";}]; conduit.loadBalancer.servers = [{url = "http://100.121.201.47:6167";}];
authelia.loadBalancer.servers = [{url = "http://100.121.201.47:9091";}]; authelia.loadBalancer.servers = [{url = "http://100.121.201.47:9091";}];
foundryvtt.loadBalancer.servers = [{url = "http://100.121.201.47:30000";}]; foundryvtt.loadBalancer.servers = [{url = "http://100.121.201.47:30000";}];
forgejo.loadBalancer.servers = [{url = "http://100.121.201.47:3200";}];
rustypaste.loadBalancer.servers = [{url = "http://100.121.201.47:8000";}]; rustypaste.loadBalancer.servers = [{url = "http://100.121.201.47:8000";}];
grafana.loadBalancer.servers = [{url = "http://100.121.201.47:3100";}]; grafana.loadBalancer.servers = [{url = "http://100.121.201.47:3100";}];
hedgedoc.loadBalancer.servers = [{url = "http://100.121.201.47:3300";}]; hedgedoc.loadBalancer.servers = [{url = "http://100.121.201.47:3300";}];

17
modules/security.nix
View file

@ -40,13 +40,16 @@
"net.ipv4.tcp_congestion_control" = "bbr"; "net.ipv4.tcp_congestion_control" = "bbr";
"net.core.default_qdisc" = "cake"; "net.core.default_qdisc" = "cake";
}; };
boot.kernelModules = ["tcp_bbr"]; boot.kernelModules = ["tcp_bbr"];
# So we don't have to do this later... services.openssh.settings.LogLevel = "VERBOSE";
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
defaults.email = "github@notohh.dev"; defaults.email = "github@notohh.dev";
}; };
services.fail2ban = { services.fail2ban = {
enable = true; enable = true;
bantime = "1h"; bantime = "1h";
@ -55,14 +58,16 @@
"192.168.0.0/16" "192.168.0.0/16"
"172.16.0.0/12" "172.16.0.0/12"
"10.0.0.0/8" "10.0.0.0/8"
"5.161.181.184/32" "5.161.102.107/32"
"100.71.49.65/10" "100.71.49.65/10"
"100.82.146.40/10" "100.82.146.40/10"
]; ];
jails.DEFAULT = { jails = {
settings = { DEFAULT = {
findtime = 100000; settings = {
mode = "aggressive"; findtime = 100000;
mode = "aggressive";
};
}; };
}; };
}; };

5
secrets/secrets.yaml
View file

@ -12,6 +12,7 @@ snowflake-runner-token: ENC[AES256_GCM,data:CYtnZeCCd3IbNq95xCAoftYRxYf5QdZk1cw2
basegbot-runner-token: ENC[AES256_GCM,data:US3VkT2+S9sKPJ7zPNNBudV/884/cNfmEZVdmWHnL4WWdvUej5aIbQ==,iv:mEjU7DF4NCX7WwLP4+CxlV3aKZOkL7t6wyM4Mz7sPrg=,tag:JrMiiQ2TT3OET4iyO6pUog==,type:str] basegbot-runner-token: ENC[AES256_GCM,data:US3VkT2+S9sKPJ7zPNNBudV/884/cNfmEZVdmWHnL4WWdvUej5aIbQ==,iv:mEjU7DF4NCX7WwLP4+CxlV3aKZOkL7t6wyM4Mz7sPrg=,tag:JrMiiQ2TT3OET4iyO6pUog==,type:str]
searxng-secret: ENC[AES256_GCM,data:SSvspQVRp79zJq0hzaqzuJIWFtVUoaqHGH9PXUViiXb9UKJM34t82o2J5K69RcOSBL7HadqmxcT4Eh8e8ZUJnquD7rrPdWb2Ih4zS7MmG94=,iv:wrQNNU7CjzfePNe1tWEXmN30vC0jTp+PtgfI3/XH22g=,tag:QAt/QL846hLLIMLQZUM3mQ==,type:str] searxng-secret: ENC[AES256_GCM,data:SSvspQVRp79zJq0hzaqzuJIWFtVUoaqHGH9PXUViiXb9UKJM34t82o2J5K69RcOSBL7HadqmxcT4Eh8e8ZUJnquD7rrPdWb2Ih4zS7MmG94=,iv:wrQNNU7CjzfePNe1tWEXmN30vC0jTp+PtgfI3/XH22g=,tag:QAt/QL846hLLIMLQZUM3mQ==,type:str]
neko-admin: ENC[AES256_GCM,data:E5goYrVyM2uQ1WLLHdcOzqX8gGO5EXJRqCRtaqAjrbUAeFRDU8A=,iv:Osh2SCeFYIvossZZ1NZH0xMrfhTcYAa6nssJhhmNNP0=,tag:m7shoTDw+Cya6Cg50yWaZg==,type:str] neko-admin: ENC[AES256_GCM,data:E5goYrVyM2uQ1WLLHdcOzqX8gGO5EXJRqCRtaqAjrbUAeFRDU8A=,iv:Osh2SCeFYIvossZZ1NZH0xMrfhTcYAa6nssJhhmNNP0=,tag:m7shoTDw+Cya6Cg50yWaZg==,type:str]
smtp2go-pwd: ENC[AES256_GCM,data:03OCDnG73T8B2Q3TJLt1kg==,iv:QFI34ZoM88AuGvOwVmxsplkNKWFgwqBn1AFdHNREses=,tag:9YABs0nAh7Cx2vybuIW9sA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -27,8 +28,8 @@ sops:
YWNQcURKMSs2U0pOa3E0cTdCZ3RnalkKGayA7DBUQS+kn+6OYVBc6oTunF0qeZdt YWNQcURKMSs2U0pOa3E0cTdCZ3RnalkKGayA7DBUQS+kn+6OYVBc6oTunF0qeZdt
5b9DLHgh0HRWFm09XGSOog8K315d93Wzblw1My1/dXeEQX/ryinqUQ== 5b9DLHgh0HRWFm09XGSOog8K315d93Wzblw1My1/dXeEQX/ryinqUQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-10T15:17:04Z" lastmodified: "2023-12-30T16:22:09Z"
mac: ENC[AES256_GCM,data:jUsI4YvoAkEAtRVz4CUQV3pJ7W7CYwOADUVeN2C9AleqVwfTuRlhQB8lVU+hEBcPY1ntMRHUnJmO9RO2xYQjJSVvAfLODCbhtMY7/s61jQa7r2gi7btlYHCOm1Qh3S4EusfyS22J2p39lF82GAyl6KHeXOmAFnGhpg8+PfKBL3I=,iv:oasWdhlkWuuU/LNrIHdgGTH5JuWqcuLjbDu9ohyRPAQ=,tag:oG6LsuuDh5D+33tR1ymY+Q==,type:str] mac: ENC[AES256_GCM,data:LV5mRsqxzOTGcmoTZRjfAw5713AbDvWWngcnmAJtCTNjWbFsnIuNwd452i0SHkHsV0czR1BemmHzHYIp+ZCUZGBYDQcBJjCMsYUdLGzNGAZeImc38C3pXK2Vu0WSIdHmECch21HEw0L8OI07v7MToCy4OS2ITm0OAXGFo0el0xI=,iv:k5/mDqkRsnyOdFjb+EPm782DEx4HdXUt3mb3tkYGp18=,tag:Flckc72wh4qM0t+OEfjDqg==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1