fix: rate limits, fail2ban, readme, secret scheme

2026-03-04 16:32:53 -08:00 · 2026-03-04 16:32:53 -08:00 · bb20443241
commit bb20443241
parent ad8cb52169
4 changed files with 96 additions and 9 deletions
--- a/modules/caddy.nix
+++ b/modules/caddy.nix
@ -3,7 +3,14 @@
 {
  services.caddy = {
    enable = true;
+    package = pkgs.caddy.withPlugins {
+      plugins = [ "github.com/mholt/caddy-ratelimit@v0.1.0" ];
+      hash = "sha256-MBYvVqWB9GK3LSWigeb4NOgclGA2qZTSUyBJMdB635M=";
+    };
    email = "postmaster@extremist.software";
+    globalConfig = ''
+      order rate_limit before basicauth
+    '';
    virtualHosts = {
      "extremist.software" = {
        useACMEHost = "extremist.software";
@ -35,6 +42,13 @@
      
      "git.extremist.software" = {
        extraConfig = ''
+          rate_limit {
+            zone git_per_ip {
+              key {remote.ip}
+              events 120
+              window 1m
+            }
+          }
          reverse_proxy localhost:3000
        '';
      };
@ -46,6 +60,13 @@
            root * /var/lib/acme/acme-challenge
            file_server
          }
+          rate_limit {
+            zone mail_per_ip {
+              key {remote.ip}
+              events 60
+              window 1m
+            }
+          }
          handle {
            reverse_proxy localhost:8080
          }
@ -54,36 +75,78 @@

      "search.extremist.software" = {
        extraConfig = ''
+          rate_limit {
+            zone search_per_ip {
+              key {remote.ip}
+              events 60
+              window 1m
+            }
+          }
          reverse_proxy localhost:8082
        '';
      };

      "status.extremist.software" = {
        extraConfig = ''
+          rate_limit {
+            zone grafana_per_ip {
+              key {remote.ip}
+              events 120
+              window 1m
+            }
+          }
          reverse_proxy localhost:3001 # Grafana
        '';
      };
 
      "uptime.extremist.software" = {
        extraConfig = ''
+          rate_limit {
+            zone uptime_per_ip {
+              key {remote.ip}
+              events 60
+              window 1m
+            }
+          }
          reverse_proxy localhost:4001
        '';
      };

      "ntfy.extremist.software" = {
        extraConfig = ''
+          rate_limit {
+            zone ntfy_per_ip {
+              key {remote.ip}
+              events 120
+              window 1m
+            }
+          }
          reverse_proxy localhost:2586
        '';
      };

      "mymx.extremist.software" = {
        extraConfig = ''
+          rate_limit {
+            zone mymx_per_ip {
+              key {remote.ip}
+              events 60
+              window 1m
+            }
+          }
          reverse_proxy localhost:4002
        '';
      };

      "matrix.extremist.software" = {
        extraConfig = ''
+          rate_limit {
+            zone matrix_per_ip {
+              key {remote.ip}
+              events 240
+              window 1m
+            }
+          }
          reverse_proxy /_matrix/* 127.0.0.1:8008
          reverse_proxy /_synapse/client/* 127.0.0.1:8008
          reverse_proxy /.well-known/matrix/* 127.0.0.1:8008