Update sops and haproxy configs

This commit is contained in:
albert 2024-08-05 21:16:28 +09:00
parent 9e29d53040
commit 0ea6dbbee8
Signed by: albert
GPG key ID: 3895DD267CA11BA9
5 changed files with 73 additions and 6 deletions

View file

@ -68,6 +68,13 @@ creation_rules:
- *warsaw-ovh-01
- *nixos-desktop
- path_regex: secrets\/cloudflare\.yaml$
key_groups:
- pgp:
- *albert
- *osaka-linode-01
- *frankfurt-linode-01
# Containers
- path_regex: secrets\/containers\/rdesktop\.yaml$
key_groups:

View file

@ -39,11 +39,11 @@
"fail2ban/action.d/action-ban-docker-forceful-browsing.conf".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[Definition]
actionban = iptables -I DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP
iptables -A INPUT -s <ip> -j DROP
actionban = ${pkgs.iptables}/bin/iptables -I DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP
${pkgs.iptables}/bin/iptables -A INPUT -s <ip> -j DROP
actionunban = iptables -D DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP
iptables -D INPUT -s <ip> -j DROP
actionunban = ${pkgs.iptables}/bin/iptables -D DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP
${pkgs.iptables}/bin/iptables -D INPUT -s <ip> -j DROP
'');
};
}

View file

@ -57,12 +57,13 @@
timeout connect 10s
timeout client 30s
timeout server 30s
maxconn 3000
maxconn 30000
log global
frontend http
mode http
bind :80
option forwardfor
default_backend backend_http
frontend tcp
@ -71,6 +72,7 @@
bind :25565
bind :4443
bind :443
option forwardfor
default_backend backend_tcp
frontend mail

View file

@ -50,6 +50,30 @@
};
};
sops.secrets."cloudflare/api_key" = {
owner = "haproxy";
sopsFile = ../../../secrets/cloufdlare.yaml;
};
security.acme = {
enable = true;
defaults = {
keyType = "pem";
group = "haproxy";
reloadServices = [ "haproxy" ];
email = "albert@sysctl.io";
credentialFiles = {
CF_Token = "/var/run/secrets/cloudflare/api_key"
};
};
certs = {
"sysctl.io" = {
directory = "/haproxy/";
};
};
};
services.haproxy = {
enable = true;
config = ''
@ -63,13 +87,14 @@
frontend http
mode http
bind :80
bind :443 ssl crt /haproxy
option forwardfor
default_backend backend_http
frontend tcp
mode tcp
bind :42420
bind :25565
bind :4443
bind :443
default_backend backend_tcp
@ -81,6 +106,7 @@
bind :587
bind :993
bind :4190
option forwardfor
default_backend backend_mail
backend backend_mail

32
secrets/cloudflare.yaml Normal file
View file

@ -0,0 +1,32 @@
api_key: ENC[AES256_GCM,data:qS4K1MeUqWmxMOCv5tHc+5+pqpS9kpt6LiVaEIlf7MfTiC+4,iv:FPSQ4AZu9Od6OwAZj+xrSrfOgjYkcOhyBzClWl7YdIM=,tag:MdcEiZfxMn4DhTzlF/VVbA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2024-08-05T12:15:34Z"
mac: ENC[AES256_GCM,data:1wKK0MlUj0ErqMOjkCtcNXpwHhwLUAsxq1Z3/5GrXtEhLOc66yUtlHW1/ZebbnipCBy6rPxGSu7gWSCGmUyapwCnKkONZBIJKE8NQ0MqYnrYPCi2ZKBcxhnaESFDoCSfgVucPPQWFbSZq21N7Z3R7M2iKIinJ522jM8Z0Ch7Yss=,iv:ckwxVUyH+ETnoVtdUpesTxzyfsshhCzSHiRacAGJ6/k=,tag:QCUvyOiwqUduTT4bM5h3qw==,type:str]
pgp:
- created_at: "2024-08-05T12:11:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwAAAAAAAAAAAQ/6AroKLfY1wV9v3/tKSDwhDdctQF2Tg7zZZSU4VQekthft
4r+TzI9FDBIfQb1YVhT5dWWMytPH8n4yQllD8HzH1rVaT0F1aNnXskNqTT5IQSbJ
Pp5n7mywrOpi3tkPbp1w1UDoWSyA5wZXUizMdkbGDyOv+IsA4Gyx9tT6UTqUzwJW
Ayu8JuX28BzOg3CZtKRGvyRgSTfOih56vTXZwAfOcwZce3Rk6dw4sOTlQbkTwWBr
IHjCVPQM1DNCy/M2JMLYFtuaN1dHs5QULyg2vWLbWHHS5eKHQnwdZBnm0zH/22VP
ORjvEMT5ADPq3uzyXVAshEbnBgjTANWG5GpdjnscdXEjyCF7GoFAX2Hve2WkIwTS
SNvTO0Jt4f8U6mT9GPGSE9vMYfq/FFF3HA2QzzA9+ZmElXcrn1stHdtF74D/FGk0
zPC9pZt9GBgSsG+BX1gZ6McXSD1NPhClXbohS/dqA2aU/rDcBmMXoOtWsqNoFbjV
gUrV8CeW6TsjbzpsoXG0hbzQLUM0O2EGKFC3N3NyQK6rqm70xxey2YjsbMMWT0+n
pCURqrOsGjkXKpSutuDmIjL6KEzbhaElaw4pgOJxNvZNgHlxYmct+gY33Ib/ATYf
lvzLocYSuDVjxB/rryDP8+pmFZeLjH7/lUsy0E9d1VThJQwIOnZFrAK1UP0ISQvS
XAGnOK4Y7gYOBsCCRckTaoERIYwkHP+wEZJpk0+T+U+RFIrmw6vly3R9GYHrgQJk
SBkvo7r9ghxZWj0HHGHlUQTpQaj9jZslOHXiIad/feaaZcJ6sWOaCN5wUxwE
=BgOp
-----END PGP MESSAGE-----
fp: 4A89D6B44B7E423B647C7AE848FBC3335A26DED6
unencrypted_suffix: _unencrypted
version: 3.8.1