diff --git a/README.md b/README.md index 51dede9..0d12e21 100644 --- a/README.md +++ b/README.md @@ -6,9 +6,13 @@ services: - forgejo (git.extremist.software) - stalwart (mail.extremist.software) - searxng (search.extremist.software) -- conduit (matrix.extremist.software) -- caddy (reverse proxy) +- synapse (matrix.extremist.software) - grafana/prometheus (status.extremist.software) +- uptime-kuma (uptime.extremist.software) +- ntfy (ntfy.extremist.software) +- mymx (mymx.extremist.software) +- caddy (reverse proxy + rate limiting) +- fail2ban ## Deployment @@ -39,15 +43,15 @@ nix run github:nix-community/nixos-anywhere -- --store-paths \ root@ | tee install.log ``` -### 3. Update Existing Server (No Wipe) -Once the server is running NixOS, use `nh` to push updates. This repository provides `nh` via `direnv` (loaded from `flake.nix` devShell), so just run `direnv allow` first. +### 4. Update Existing Server (No Wipe) +Once the server is running NixOS, use the `nhs` script to push updates. This repository provides `nhs` and `nh` via `direnv` (loaded from `flake.nix` devShell), so just run `direnv allow` first. ```bash -# Update via IP -nh os switch --hostname extremist-software --target-host root@ --impure path:. +# Update via Tailscale (uses nhs convenience script) +nhs -# Update via Tailscale (Once tailored up) -nh os switch --hostname extremist-software --target-host root@extremist-software --impure path:. +# Or manually via IP +nh os switch --hostname extremist-software --target-host root@ --impure path:. ``` repo uses `impure` build to load `secrets/secrets.nix` directly. no encrypted secrets in git. diff --git a/configuration.nix b/configuration.nix index 4dfb701..3c62c92 100644 --- a/configuration.nix +++ b/configuration.nix @@ -46,12 +46,31 @@ settings.PermitRootLogin = "prohibit-password"; }; + # Fail2ban + services.fail2ban = { + enable = true; + maxretry = 5; + bantime = "1h"; + bantime-increment = { + enable = true; + maxtime = "168h"; + overalljails = true; + }; + ignoreIP = [ + "100.64.0.0/10" + "127.0.0.0/8" + ]; + jails.sshd.settings = { + backend = "systemd"; + maxretry = 3; + }; + }; + # nh (yet another nix helper) programs.nh = { enable = true; clean.enable = true; clean.extraArgs = "--keep 2"; - flake = "/home/jet/Documents/extremist-software"; }; # System diff --git a/modules/caddy.nix b/modules/caddy.nix index 87ddcbc..399c5d3 100644 --- a/modules/caddy.nix +++ b/modules/caddy.nix @@ -3,7 +3,14 @@ { services.caddy = { enable = true; + package = pkgs.caddy.withPlugins { + plugins = [ "github.com/mholt/caddy-ratelimit@v0.1.0" ]; + hash = "sha256-MBYvVqWB9GK3LSWigeb4NOgclGA2qZTSUyBJMdB635M="; + }; email = "postmaster@extremist.software"; + globalConfig = '' + order rate_limit before basicauth + ''; virtualHosts = { "extremist.software" = { useACMEHost = "extremist.software"; @@ -35,6 +42,13 @@ "git.extremist.software" = { extraConfig = '' + rate_limit { + zone git_per_ip { + key {remote.ip} + events 120 + window 1m + } + } reverse_proxy localhost:3000 ''; }; @@ -46,6 +60,13 @@ root * /var/lib/acme/acme-challenge file_server } + rate_limit { + zone mail_per_ip { + key {remote.ip} + events 60 + window 1m + } + } handle { reverse_proxy localhost:8080 } @@ -54,36 +75,78 @@ "search.extremist.software" = { extraConfig = '' + rate_limit { + zone search_per_ip { + key {remote.ip} + events 60 + window 1m + } + } reverse_proxy localhost:8082 ''; }; "status.extremist.software" = { extraConfig = '' + rate_limit { + zone grafana_per_ip { + key {remote.ip} + events 120 + window 1m + } + } reverse_proxy localhost:3001 # Grafana ''; }; "uptime.extremist.software" = { extraConfig = '' + rate_limit { + zone uptime_per_ip { + key {remote.ip} + events 60 + window 1m + } + } reverse_proxy localhost:4001 ''; }; "ntfy.extremist.software" = { extraConfig = '' + rate_limit { + zone ntfy_per_ip { + key {remote.ip} + events 120 + window 1m + } + } reverse_proxy localhost:2586 ''; }; "mymx.extremist.software" = { extraConfig = '' + rate_limit { + zone mymx_per_ip { + key {remote.ip} + events 60 + window 1m + } + } reverse_proxy localhost:4002 ''; }; "matrix.extremist.software" = { extraConfig = '' + rate_limit { + zone matrix_per_ip { + key {remote.ip} + events 240 + window 1m + } + } reverse_proxy /_matrix/* 127.0.0.1:8008 reverse_proxy /_synapse/client/* 127.0.0.1:8008 reverse_proxy /.well-known/matrix/* 127.0.0.1:8008 diff --git a/secrets/secrets.nix.example b/secrets/secrets.nix.example index 7ac0f97..8307b22 100644 --- a/secrets/secrets.nix.example +++ b/secrets/secrets.nix.example @@ -9,6 +9,7 @@ minecraftRcon = "changeme_rcon"; tailscaleKey = "tskey-auth-PLACEHOLDER"; sshPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA..."; + grafanaSecret = "changeme_grafana_secret"; matrixMacaroon = "changeme_matrix_macaroon_secret_key"; ntfyAdminHash = "changeme_bcrypt_hash_from_ntfy_user_hash"; mymxWebhookSecret = "changeme_mymx_webhook_secret";