From 59ff6c1340bb3f9f6418121a1af3fa1ec079e98a Mon Sep 17 00:00:00 2001 From: Jet Date: Sat, 14 Mar 2026 18:38:58 -0700 Subject: [PATCH 1/6] update: use the new remote ssh key --- secrets/b2-account-id.age | Bin 348 -> 348 bytes secrets/b2-application-key.age | 12 ++++++------ secrets/discord-bot-token.age | 13 ++++++------- secrets/grafana-admin-password.age | Bin 367 -> 367 bytes secrets/grafana-secret-key.age | 12 ++++++------ secrets/minecraft-seed.age | Bin 367 -> 367 bytes secrets/secrets.nix | 2 +- secrets/tailscale-auth-key.age | Bin 384 -> 384 bytes 8 files changed, 19 insertions(+), 20 deletions(-) diff --git a/secrets/b2-account-id.age b/secrets/b2-account-id.age index df8dbf54040a6d846d32401726ff3a58bb86de21..888d950779879f1afbfb6ca0cd091f2819d5d31f 100644 GIT binary patch delta 320 zcmcb^bcbnzYJHxcwx@BRf}dY%m`jnDwwsx`TTwwyO1MjLm4Aw#v!j=LMOtJ@x=C`P zv2#&SMTt{BS8~2vnNNyYwsu5@aY1CHQ&O^-S$=6$YD%i7VMM-#Np@C&iDRl$aZqU} zm#&>cadC!jYKoDmsiCDpRA#w(V!482xlu-$M{!DNMSYM0Vr61cwo`U!Xt2JKd!lPpvX{SCN}!v2YOZIoadL5lrE^G> zf4WglN_jq)uCA^^WIL7+ipVt{sVMv7ON zdulmXuBDgyqg@MDdr3On*>RfZhUL1gE5C)#`S4z3_c!wp^BqDAN8g7Y4lVx^{I?_T T#LX>?g`cyI1@7Ik(B>QfTEKOy delta 320 zcmcb^bcbnzYQ2SbMoF2Yf>*MWb5K^ed3a=apr>}Ywo!IoxmR9+S&>CVu6~eHxt~*1 zxVx8sN=bG$S71<)Z(>noWVlnRsh2^Hfk}=_S*m|#d6>CxNUpJ4iJO03g{gLaScyp_ zm#&>cadC!jYKoDmsiCDpRA#w(V!47xxU+diskujhQ@v}pU%88sUs8&DNT#EyXNp&* zSy)J9e!f|$qoqlJYmh5fo>^{DZmGFkSd=c$hwzPsso2u;^#x}$tA TY-8=8J}beRHPhDIXa5cWRS|OZ diff --git a/secrets/b2-application-key.age b/secrets/b2-application-key.age index f09294e..7b70e85 100644 --- a/secrets/b2-application-key.age +++ b/secrets/b2-application-key.age @@ -1,7 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 8KhtvA RPJwPm/DkUYfQlYSCa4s6KF5bV8ajDflEj+Gljgs1TI -aP54VuO6RYP/tLPIzOHDgRIKs1AirPu3zkYuvVamTjE --> ssh-ed25519 Ziw7aw DHkTEHLtrhSuSoNuv9zS5kgeKth3NtjUj8IVBiBch1k -/P9kmTW0z3oTuBtd8wv+tfbBWP4Y1ObhPbwnLeCJO/U ---- 6OuUgwkLM+4RkVychG8IVWRb9es4WimS6KI6jxCyPn4 -'^x`WAN;zV`m7G7vc]`M#=ֵ#K \ No newline at end of file +-> ssh-ed25519 nN+I3Q pvBHHJ8gvyYbp4UC7m/ftbk0AsSqhger/w2V3VnD2B8 +5mkBZwujtIYxtI9uaSbbHvHqslW2zRqigWqA9DHNLBU +-> ssh-ed25519 Ziw7aw MormurJwU7hFYfklN0G3AYJeG05fcfNP9P1uTL6woHQ +N8C5yyyJQJdf3vH7ym5/AkLyEr2MLRjxd5EG0B5OGto +--- t6FsZYSVfoqW8F9t4uIVqWajSV+eQ2t2VEC8Z3EJyIk +ߋ+cEH !\2󺇢X DDW#R \ No newline at end of file diff --git a/secrets/discord-bot-token.age b/secrets/discord-bot-token.age index 7553626..eeb495c 100644 --- a/secrets/discord-bot-token.age +++ b/secrets/discord-bot-token.age @@ -1,8 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 8KhtvA 14QBStvnxOU5fDg/fBWu7Klun03DfblZhFV1vWn/u2w -0/rGOHyVCh7AG0HBMCw8XAKkvKmtDXk32zDZFRVI+aE --> ssh-ed25519 Ziw7aw agcXQVvCtH88gSFhJH+g4vJDHFyqfMc7haOmqCWCtBs -ULjdXfTM1/3a6fXrqsH7rLPXCLOxT0DBbGnn5Y3znfo ---- rGogYk7dpYIqYP9Vg7oRu8ZghB0nYddMCpzz4GKCx0s -3b0 -j\>Cs.@&,%4fC1Eբ~ ȏͳ2۳b_2-*C~L͜=(QP+ -6 \ No newline at end of file +-> ssh-ed25519 nN+I3Q YmpwUlCii+a5JxJ7nYNJHRH/dqgabVrvRG4HAcDv80M +3G5MM3gJ0RBZQXz3WUetiXSSGEl2y+E1ZgyJ7Xp+bzg +-> ssh-ed25519 Ziw7aw 566UvTX3i6TgwVI+R+4xZMKDk2taODC4eSazhwnXpWs +DlWnZMQuO2UQsji3NqB9hJf3a0U+3m8jrp6YOwyNVdc +--- x6e0Gj888fGWJ99j/Vr995EwdilrY+kIFCsq5CKNAkQ +)NCpcv51o\imFs( )7@2O_w [E[7ZKx,rI[ndmNc \ No newline at end of file diff --git a/secrets/grafana-admin-password.age b/secrets/grafana-admin-password.age index 85b18a74d610228c1cd6d18e1a934768b4467107..69ce3c1105898f20162049af34220d232b718de9 100644 GIT binary patch delta 339 zcmaFQ^qy&gYJHxcwx@BRLXoADQ-PO(c5$I^g_*B@U_e1gl9^|oM?qq^xnE#}n_Ib2 zVtPnXnSZzimyusaKxv_0K&h#-V@i-=xKDDrQ--0DPimEqnU}whXOebRXogvGg^6c2 zm#&>cadC!jYKoDmsiCDpRA#w(V!48WiC2+DR6v+-XnjUOpnqzVNv2`2Z)vf4zF9@O zPkFhqPjXd7ab}rWcy2nEVXk(ikzav(NJ)x8TDpmmxkaL*S7Bb1k4KSrPP%zWu%WlP zdtOy!N_IMzuCA^^Uaq&Xe?fYpW1gW)Nnw_IX=+AZh>^2rVx&QFWLA=^aa3khqG5!K ziN7mXzt6M9{QrC{f2?0uCa1*ykU8Y{GNC-r1E$@V93LP5_P1qXOK$pn*C$)sBX5N4 n+go`5(xoqJ8dQBU_Q$aDTkH!e`!~;T*^R3vrMFM6SK$W$D_MP+ delta 339 zcmaFQ^qy&gYQ2SbMoF2YLPc4bmw%~aVuf3AgpYZCibcadC!jYKoDmsiCDpRA#w(V!1+DW@V~HmY0!1V7-2Bq;`Num|ta ssh-ed25519 8KhtvA HwJeI2xpphSyhSacAqEdmnzbJxNEuRN2sLv+sK0XqQI -11GS6HqXTQ0gksTZlJfVDwJ3PaLy1SD5D/J7QstK/bI --> ssh-ed25519 Ziw7aw 5S4mq+b1VAaMrXZrUfYowGfU/wR6aSql3wVOsKnbJEQ -c+DAvSndUItpBbFR1ce/SfL2AthJ7fW8Sdq+vja6L+s ---- wSQ+PDx7FR4mDl9Cw4ah/CS2JujL7uP+9ZexfD8KfgI -}|dLXOR UU)ʒ'jgPpm xC BV@ґ->6ԟ&` \ No newline at end of file +-> ssh-ed25519 nN+I3Q NoHPLxNkUs3bwE/lxtFJkHamKo4UwHa7rFhkUz5uZUM +KXs0AU1/wjd7yxnNRrQk8NNFD6XBZaNZNHLsT7hOLS8 +-> ssh-ed25519 Ziw7aw exDf6HgFViw+HSsvdqHdeVty06Krk3ku6vFJJMwi93A +0S/vjoRdk+sYifgz/B3t7Nkd6JNtWsBoJzlAUP94cmw +--- UTKoNnzmxwtve3lSyyLP52iQA0LT94Fr5sRsuVNJ6Y0 +oR5xeaTQsy_Hgq3;)Hk㥏a7N'cadC!jYKoDmsiCDpRA#w(V!493NrkJ6v8#(`NWF2nzqVndcDcKwc4D4!UVf56 zdP~*MqF+^J zmO(MsA)n$G0{^;qb6lSq&GJA??Bk?U*TdGWF_u-x*?gotwk_IUOHcM?#Y&yZdWLx$ n{MIJFOPv2(X|;&{iJTi%57*pRJ->_d7wh%fpMU4vw)qYKvekOp delta 339 zcmaFQ^qy&gYQ2SbMoF2YLULkhK$TNcP`H13NoZ<>Pid8xXE~WkIN~QBX>m zlbLTpdZs}+m$65Aw!2|Sv2#&mK~bbrd8%c4vT=^7rDbZCtA&MAq>poQx=E08inqBZ zm#&>cadC!jYKoDmsiCDpRA#w(V!482M2TNcPFZ-OTYX51hiAG$PJU2wq$muCA^^fnjk}vT=sCqkf8WQA$-=NRdUVyH{zXc|>5iX;DT>xno&Gihf{F zxVt0Q2cNCSv;M69xv;Ig`*!#z(^?- nwabI&#!DXk?{=3G-*22arSY92Z}+0J6%2d$zXr_P(6_^XJ%-a;uh=} zo|2cFVj6D3mF;h$9ir{+nde%T8*Eza9ieSurtRaeZ{Ta}WEt$4Ri#}X;uMr=nUNXE zrE8~9T%4hsnqp*XYG|ntm050{Sgw!}mXw~FkyoBqQt#>$;%*u0>|v4XW0-8=VU*|M z6qe#<=9(H->Kag~9caQ8UX^T6=wTjQTo@7(6k-?_=9Ezq9+Fm`@8y^lQQ&UkR#>W^ z9OhMN=AF!?tE;P!l~-g@mgHO#QJHKU;E@~^X%tcDmRA-P6do0joNnZ9o}CgEpq;5* zX4es^}LlXRM8m>ssm_7*ebs7N}p5>+N3Y zRchdv}}Zl;RznukDoM7-bS^>f@B?(Uw> zrE8~9T%4hsnqp*XYG|ntm050{Sguf-=u{kFZjut^R3A}UP-JSJWn7SC<{nn;>Qz-) zRBU9bZ5H6;?2}iT9O28AXQJ(GoSEzETjr6No35Samh2T2>gaA>=~)pH6dYohZkn53 zR#}x+Xl}u!tE;PEXrGzICvd)b F3;^lIgFpZP From c3e5a74f579f40c60dd17d5f0c5f4a366dbc294b Mon Sep 17 00:00:00 2001 From: Jet Date: Sat, 14 Mar 2026 18:38:58 -0700 Subject: [PATCH 2/6] feat: add more swap --- configuration.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/configuration.nix b/configuration.nix index ee25c38..b28b711 100644 --- a/configuration.nix +++ b/configuration.nix @@ -45,6 +45,16 @@ rsync ]; + zramSwap = { + enable = true; + memoryPercent = 50; + }; + + services.openssh.hostKeys = [{ + path = "/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + }]; + users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE40ISu3ydCqfdpb26JYD5cIN0Fu0id/FDS+xjB5zpqu jetthomaspham@gmail.com" ]; From 1c2911162b400fc4808536318cd7dafd610ddf3e Mon Sep 17 00:00:00 2001 From: Jet Date: Sat, 14 Mar 2026 18:38:58 -0700 Subject: [PATCH 3/6] fix: ignore the minecraft ips --- modules/hardening.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/hardening.nix b/modules/hardening.nix index 9233354..fa7058f 100644 --- a/modules/hardening.nix +++ b/modules/hardening.nix @@ -35,6 +35,10 @@ enable = true; maxtime = "24h"; }; + ignoreIP = [ + "100.64.0.0/10" + "127.0.0.0/8" + ]; }; # ── Kernel hardening ── From 7ddd1d4f42de54da4f5cd3aa94d120f4ce503872 Mon Sep 17 00:00:00 2001 From: Jet Date: Sat, 14 Mar 2026 18:38:58 -0700 Subject: [PATCH 4/6] fix: remove useless secureity updates --- modules/hardening.nix | 6 ------ 1 file changed, 6 deletions(-) diff --git a/modules/hardening.nix b/modules/hardening.nix index fa7058f..6403df5 100644 --- a/modules/hardening.nix +++ b/modules/hardening.nix @@ -83,10 +83,4 @@ services.avahi.enable = false; services.printing.enable = false; - # ── Automatic security updates ── - system.autoUpgrade = { - enable = true; - allowReboot = false; - dates = "04:00"; - }; } From 2cdeb462e508bece26feb725c6098518786eabe4 Mon Sep 17 00:00:00 2001 From: Jet Date: Sat, 14 Mar 2026 18:46:00 -0700 Subject: [PATCH 5/6] update: update flake --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index af0d258..dd5aba2 100644 --- a/flake.lock +++ b/flake.lock @@ -52,11 +52,11 @@ ] }, "locked": { - "lastModified": 1773025010, - "narHash": "sha256-khlHllTsovXgT2GZ0WxT4+RvuMjNeR5OW0UYeEHPYQo=", + "lastModified": 1773506317, + "narHash": "sha256-qWKbLUJpavIpvOdX1fhHYm0WGerytFHRoh9lVck6Bh0=", "owner": "nix-community", "repo": "disko", - "rev": "7b9f7f88ab3b339f8142dc246445abb3c370d3d3", + "rev": "878ec37d6a8f52c6c801d0e2a2ad554c75b9353c", "type": "github" }, "original": { @@ -88,11 +88,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1773282481, - "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=", + "lastModified": 1773389992, + "narHash": "sha256-wvfdLLWJ2I9oEpDd9PfMA8osfIZicoQ5MT1jIwNs9Tk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127", + "rev": "c06b4ae3d6599a672a6210b7021d699c351eebda", "type": "github" }, "original": { From bee7677e4376967640ee4c1ca10ad00b22fd0f56 Mon Sep 17 00:00:00 2001 From: Jet Date: Sat, 14 Mar 2026 18:46:00 -0700 Subject: [PATCH 6/6] fix: add Caddy redir to fail2ban --- modules/hardening.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/hardening.nix b/modules/hardening.nix index 6403df5..ca324ff 100644 --- a/modules/hardening.nix +++ b/modules/hardening.nix @@ -38,6 +38,7 @@ ignoreIP = [ "100.64.0.0/10" "127.0.0.0/8" + "::1/128" ]; };