fix: rate limits, fail2ban, readme, secret scheme

README.md

@@ -6,9 +6,13 @@ services:
 - forgejo (git.extremist.software)
 - stalwart (mail.extremist.software)
 - searxng (search.extremist.software)
-- conduit (matrix.extremist.software)
+- synapse (matrix.extremist.software)
-- caddy (reverse proxy)
 - grafana/prometheus (status.extremist.software)
+- uptime-kuma (uptime.extremist.software)
+- ntfy (ntfy.extremist.software)
+- mymx (mymx.extremist.software)
+- caddy (reverse proxy + rate limiting)
+- fail2ban
 
 ## Deployment
 
@@ -39,15 +43,15 @@ nix run github:nix-community/nixos-anywhere -- --store-paths \
   root@<TARGET_IP> | tee install.log
 ```
 
-### 3. Update Existing Server (No Wipe)
+### 4. Update Existing Server (No Wipe)
-Once the server is running NixOS, use `nh` to push updates. This repository provides `nh` via `direnv` (loaded from `flake.nix` devShell), so just run `direnv allow` first.
+Once the server is running NixOS, use the `nhs` script to push updates. This repository provides `nhs` and `nh` via `direnv` (loaded from `flake.nix` devShell), so just run `direnv allow` first.
 
 ```bash
-# Update via IP
+# Update via Tailscale (uses nhs convenience script)
-nh os switch --hostname extremist-software --target-host root@<TARGET_IP> --impure path:.
+nhs
 
-# Update via Tailscale (Once tailored up)
+# Or manually via IP
-nh os switch --hostname extremist-software --target-host root@extremist-software --impure path:.
+nh os switch --hostname extremist-software --target-host root@<TARGET_IP> --impure path:.
 ```
 
 repo uses `impure` build to load `secrets/secrets.nix` directly. no encrypted secrets in git.

configuration.nix

@@ -46,12 +46,31 @@
     settings.PermitRootLogin = "prohibit-password";
   };
 
+  # Fail2ban
+  services.fail2ban = {
+    enable = true;
+    maxretry = 5;
+    bantime = "1h";
+    bantime-increment = {
+      enable = true;
+      maxtime = "168h";
+      overalljails = true;
+    };
+    ignoreIP = [
+      "100.64.0.0/10"
+      "127.0.0.0/8"
+    ];
+    jails.sshd.settings = {
+      backend = "systemd";
+      maxretry = 3;
+    };
+  };
+
   # nh (yet another nix helper)
   programs.nh = {
     enable = true;
     clean.enable = true;
     clean.extraArgs = "--keep 2";
-    flake = "/home/jet/Documents/extremist-software";
   };
 
   # System

modules/caddy.nix

@@ -3,7 +3,14 @@
 {
   services.caddy = {
     enable = true;
+    package = pkgs.caddy.withPlugins {
+      plugins = [ "github.com/mholt/caddy-ratelimit@v0.1.0" ];
+      hash = "sha256-MBYvVqWB9GK3LSWigeb4NOgclGA2qZTSUyBJMdB635M=";
+    };
     email = "postmaster@extremist.software";
+    globalConfig = ''
+      order rate_limit before basicauth
+    '';
     virtualHosts = {
       "extremist.software" = {
         useACMEHost = "extremist.software";
@@ -35,6 +42,13 @@
       
       "git.extremist.software" = {
         extraConfig = ''
+          rate_limit {
+            zone git_per_ip {
+              key {remote.ip}
+              events 120
+              window 1m
+            }
+          }
           reverse_proxy localhost:3000
         '';
       };
@@ -46,6 +60,13 @@
             root * /var/lib/acme/acme-challenge
             file_server
           }
+          rate_limit {
+            zone mail_per_ip {
+              key {remote.ip}
+              events 60
+              window 1m
+            }
+          }
           handle {
             reverse_proxy localhost:8080
           }
@@ -54,36 +75,78 @@
 
       "search.extremist.software" = {
         extraConfig = ''
+          rate_limit {
+            zone search_per_ip {
+              key {remote.ip}
+              events 60
+              window 1m
+            }
+          }
           reverse_proxy localhost:8082
         '';
       };
 
       "status.extremist.software" = {
         extraConfig = ''
+          rate_limit {
+            zone grafana_per_ip {
+              key {remote.ip}
+              events 120
+              window 1m
+            }
+          }
           reverse_proxy localhost:3001 # Grafana
         '';
       };
  
       "uptime.extremist.software" = {
         extraConfig = ''
+          rate_limit {
+            zone uptime_per_ip {
+              key {remote.ip}
+              events 60
+              window 1m
+            }
+          }
           reverse_proxy localhost:4001
         '';
       };
 
       "ntfy.extremist.software" = {
         extraConfig = ''
+          rate_limit {
+            zone ntfy_per_ip {
+              key {remote.ip}
+              events 120
+              window 1m
+            }
+          }
           reverse_proxy localhost:2586
         '';
       };
 
       "mymx.extremist.software" = {
         extraConfig = ''
+          rate_limit {
+            zone mymx_per_ip {
+              key {remote.ip}
+              events 60
+              window 1m
+            }
+          }
           reverse_proxy localhost:4002
         '';
       };
 
       "matrix.extremist.software" = {
         extraConfig = ''
+          rate_limit {
+            zone matrix_per_ip {
+              key {remote.ip}
+              events 240
+              window 1m
+            }
+          }
           reverse_proxy /_matrix/* 127.0.0.1:8008
           reverse_proxy /_synapse/client/* 127.0.0.1:8008
           reverse_proxy /.well-known/matrix/* 127.0.0.1:8008

secrets/secrets.nix.example

@@ -9,6 +9,7 @@
     minecraftRcon = "changeme_rcon";
     tailscaleKey = "tskey-auth-PLACEHOLDER";
     sshPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA...";
+    grafanaSecret = "changeme_grafana_secret";
     matrixMacaroon = "changeme_matrix_macaroon_secret_key";
     ntfyAdminHash = "changeme_bcrypt_hash_from_ntfy_user_hash";
     mymxWebhookSecret = "changeme_mymx_webhook_secret";