lew/nixos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: lew:3bc8264d276e874e79d50582f1d131e76597487e
Branches Tags
lew:main
..
compare: lew:60d300cb438562079398bef64c6d3790fd3e7137
Branches Tags
lew:main

No commits in common. "3bc8264d276e874e79d50582f1d131e76597487e" and "60d300cb438562079398bef64c6d3790fd3e7137" have entirely different histories.
3bc8264d27 ... 60d300cb43

3 changed files with 0 additions and 90 deletions
Download patch file Download diff file Expand all files Collapse all files

2
hosts/lab/default.nix
View file

@ -7,8 +7,6 @@
./dokuwiki.nix ./dokuwiki.nix
./forgejo.nix ./forgejo.nix
./wynne.nix ./wynne.nix
./fail2ban.nix
./uptime-kuma.nix
]; ];
networking.hostName = "lab"; networking.hostName = "lab";

61
hosts/lab/fail2ban.nix
View file

@ -1,61 +0,0 @@
{ ... }:
{
services.fail2ban = {
enable = true;
maxretry = 5;
bantime = "1h";
bantime-increment = {
enable = true;
maxtime = "168h";
overalljails = true;
};
ignoreIP = [ "127.0.0.1/8" "::1" ];
jails = {
# SSH jail auto-created by NixOS — just tighten the limits
sshd.settings = {
maxretry = 3;
findtime = "15m";
};
forgejo.settings = {
enabled = true;
port = "http,https,4201";
filter = "forgejo";
backend = "systemd";
journalmatch = "_SYSTEMD_UNIT=forgejo.service";
maxretry = 5;
findtime = "10m";
};
caddy-status.settings = {
enabled = true;
port = "http,https";
filter = "caddy-status";
backend = "systemd";
journalmatch = "_SYSTEMD_UNIT=caddy.service";
maxretry = 10;
findtime = "10m";
};
};
};
# Enable Caddy access logging (to journal via stderr)
services.caddy.globalConfig = ''
servers {
logs
}
'';
environment.etc."fail2ban/filter.d/forgejo.conf".text = ''
[Definition]
failregex = ^.*Failed authentication attempt for .* from <HOST>
ignoreregex =
'';
environment.etc."fail2ban/filter.d/caddy-status.conf".text = ''
[Definition]
failregex = ^.*"client_ip":"<HOST>".*"status":\s*(401|403)
ignoreregex =
'';
}

27
hosts/lab/uptime-kuma.nix
View file

@ -1,27 +0,0 @@
{ ... }:
{
services.caddy.virtualHosts."status.ily.rs" = {
extraConfig = ''
reverse_proxy localhost:3001
encode zstd gzip
'';
};
services.caddy.virtualHosts."status.wynne.rs" = {
extraConfig = ''
redir https://status.ily.rs{uri} permanent
'';
};
virtualisation.oci-containers.containers.uptime-kuma = {
image = "louislam/uptime-kuma:1";
podman.user = "podman";
volumes = [
"/srv/uptime-kuma/data:/app/data"
];
ports = [ "127.0.0.1:3001:3001" ];
};
# Workaround for NixOS/nixpkgs#410857 until backport of #475089 lands
systemd.services.podman-uptime-kuma.serviceConfig.Delegate = true;
}