Compare commits

...

5 commits

Author SHA1 Message Date
ac3f794578
forgejo: add fail2ban jail
All checks were successful
flake check / check (push) Successful in 8m4s
fmt check / check (push) Successful in 1m6s
2023-12-30 13:38:40 -05:00
e320317d27
traefik: pass forgejo hostheader 2023-12-30 13:38:19 -05:00
2e69421f10
security: update f2b 2023-12-30 13:33:47 -05:00
5155280203
forgejo: init mailer 2023-12-30 11:58:26 -05:00
8070852806
sops: add smtp-pwd 2023-12-30 11:57:56 -05:00
4 changed files with 55 additions and 11 deletions

View file

@ -1,14 +1,20 @@
{lib, ...}: {
{
lib,
config,
...
}: {
sops.secrets.smtp2go-pwd = {owner = "forgejo";};
networking.firewall.allowedTCPPorts = [2222];
services.forgejo = {
enable = true;
stateDir = "/var/lib/forgejo";
settings = {
service.DISABLE_REGISTRATION = true;
service.DISABLE_REGISTRATION = false;
DEFAULT.APP_NAME = "forgejo";
log.LEVEL = "Debug";
ui = {
DEFAULT_THEME = "forgejo-dark";
SHOW_USER_EMAIL = true;
};
actions = {
ENABLED = true;
@ -25,6 +31,9 @@
SSH_LISTEN_PORT = 2222;
SSH_LISTEN_HOST = "100.121.201.47";
};
session = {
COOKIE_SECURE = true;
};
database = {
DB_TYPE = lib.mkForce "postgres";
HOST = "192.168.1.211:5432";
@ -42,6 +51,32 @@
ENABLED_ISSUE_BY_REPOSITORY = true;
ENABLED_ISSUE_BY_LABEL = true;
};
mailer = {
ENABLED = true;
FROM = "forgejo@flake.sh";
PROTOCOL = "smtp+starttls";
SMTP_ADDR = "mail.smtp2go.com";
SMTP_PORT = 587;
USER = "forgejo-mailer";
};
};
mailerPasswordFile = config.sops.secrets.smtp2go-pwd.path;
};
services.fail2ban.jails.forgejo = {
settings = {
filter = "forgejo";
action = ''iptables-allports'';
mode = "aggressive";
maxretry = 3;
findtime = 3600;
bantime = 900;
};
};
environment.etc = {
"fail2ban/filter.d/forgejo.conf".text = ''
[Definition]
failregex = ^.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>$
journalmatch = _SYSTEMD_UNIT=forgejo.service
'';
};
}

View file

@ -135,12 +135,15 @@
};
};
services = {
forgejo.loadBalancer = {
passHostHeader = true;
servers = [{url = "http://100.121.201.47:3200";}];
};
uptime-kuma.loadBalancer.servers = [{url = "http://100.104.42.96:4000";}];
gotify.loadBalancer.servers = [{url = "http://100.104.42.96:3000";}];
conduit.loadBalancer.servers = [{url = "http://100.121.201.47:6167";}];
authelia.loadBalancer.servers = [{url = "http://100.121.201.47:9091";}];
foundryvtt.loadBalancer.servers = [{url = "http://100.121.201.47:30000";}];
forgejo.loadBalancer.servers = [{url = "http://100.121.201.47:3200";}];
rustypaste.loadBalancer.servers = [{url = "http://100.121.201.47:8000";}];
grafana.loadBalancer.servers = [{url = "http://100.121.201.47:3100";}];
hedgedoc.loadBalancer.servers = [{url = "http://100.121.201.47:3300";}];

View file

@ -40,13 +40,16 @@
"net.ipv4.tcp_congestion_control" = "bbr";
"net.core.default_qdisc" = "cake";
};
boot.kernelModules = ["tcp_bbr"];
# So we don't have to do this later...
services.openssh.settings.LogLevel = "VERBOSE";
security.acme = {
acceptTerms = true;
defaults.email = "github@notohh.dev";
};
services.fail2ban = {
enable = true;
bantime = "1h";
@ -55,15 +58,17 @@
"192.168.0.0/16"
"172.16.0.0/12"
"10.0.0.0/8"
"5.161.181.184/32"
"5.161.102.107/32"
"100.71.49.65/10"
"100.82.146.40/10"
];
jails.DEFAULT = {
jails = {
DEFAULT = {
settings = {
findtime = 100000;
mode = "aggressive";
};
};
};
};
}

View file

@ -12,6 +12,7 @@ snowflake-runner-token: ENC[AES256_GCM,data:CYtnZeCCd3IbNq95xCAoftYRxYf5QdZk1cw2
basegbot-runner-token: ENC[AES256_GCM,data:US3VkT2+S9sKPJ7zPNNBudV/884/cNfmEZVdmWHnL4WWdvUej5aIbQ==,iv:mEjU7DF4NCX7WwLP4+CxlV3aKZOkL7t6wyM4Mz7sPrg=,tag:JrMiiQ2TT3OET4iyO6pUog==,type:str]
searxng-secret: ENC[AES256_GCM,data:SSvspQVRp79zJq0hzaqzuJIWFtVUoaqHGH9PXUViiXb9UKJM34t82o2J5K69RcOSBL7HadqmxcT4Eh8e8ZUJnquD7rrPdWb2Ih4zS7MmG94=,iv:wrQNNU7CjzfePNe1tWEXmN30vC0jTp+PtgfI3/XH22g=,tag:QAt/QL846hLLIMLQZUM3mQ==,type:str]
neko-admin: ENC[AES256_GCM,data:E5goYrVyM2uQ1WLLHdcOzqX8gGO5EXJRqCRtaqAjrbUAeFRDU8A=,iv:Osh2SCeFYIvossZZ1NZH0xMrfhTcYAa6nssJhhmNNP0=,tag:m7shoTDw+Cya6Cg50yWaZg==,type:str]
smtp2go-pwd: ENC[AES256_GCM,data:03OCDnG73T8B2Q3TJLt1kg==,iv:QFI34ZoM88AuGvOwVmxsplkNKWFgwqBn1AFdHNREses=,tag:9YABs0nAh7Cx2vybuIW9sA==,type:str]
sops:
kms: []
gcp_kms: []
@ -27,8 +28,8 @@ sops:
YWNQcURKMSs2U0pOa3E0cTdCZ3RnalkKGayA7DBUQS+kn+6OYVBc6oTunF0qeZdt
5b9DLHgh0HRWFm09XGSOog8K315d93Wzblw1My1/dXeEQX/ryinqUQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-10T15:17:04Z"
mac: ENC[AES256_GCM,data:jUsI4YvoAkEAtRVz4CUQV3pJ7W7CYwOADUVeN2C9AleqVwfTuRlhQB8lVU+hEBcPY1ntMRHUnJmO9RO2xYQjJSVvAfLODCbhtMY7/s61jQa7r2gi7btlYHCOm1Qh3S4EusfyS22J2p39lF82GAyl6KHeXOmAFnGhpg8+PfKBL3I=,iv:oasWdhlkWuuU/LNrIHdgGTH5JuWqcuLjbDu9ohyRPAQ=,tag:oG6LsuuDh5D+33tR1ymY+Q==,type:str]
lastmodified: "2023-12-30T16:22:09Z"
mac: ENC[AES256_GCM,data:LV5mRsqxzOTGcmoTZRjfAw5713AbDvWWngcnmAJtCTNjWbFsnIuNwd452i0SHkHsV0czR1BemmHzHYIp+ZCUZGBYDQcBJjCMsYUdLGzNGAZeImc38C3pXK2Vu0WSIdHmECch21HEw0L8OI07v7MToCy4OS2ITm0OAXGFo0el0xI=,iv:k5/mDqkRsnyOdFjb+EPm782DEx4HdXUt3mb3tkYGp18=,tag:Flckc72wh4qM0t+OEfjDqg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1