From 0ea6dbbee86e238e65c9edde638216de32b7f0d5 Mon Sep 17 00:00:00 2001 From: albert Date: Mon, 5 Aug 2024 21:16:28 +0900 Subject: [PATCH] Update sops and haproxy configs --- .sops.yaml | 7 ++++ .../framework-server/fail2ban/traefik.nix | 8 ++--- nixos/hosts/frankfurt-linode-01/firewall.nix | 4 ++- nixos/hosts/osaka-linode-01/firewall.nix | 28 +++++++++++++++- secrets/cloudflare.yaml | 32 +++++++++++++++++++ 5 files changed, 73 insertions(+), 6 deletions(-) create mode 100644 secrets/cloudflare.yaml diff --git a/.sops.yaml b/.sops.yaml index 2794499c..c75d1d48 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -68,6 +68,13 @@ creation_rules: - *warsaw-ovh-01 - *nixos-desktop + - path_regex: secrets\/cloudflare\.yaml$ + key_groups: + - pgp: + - *albert + - *osaka-linode-01 + - *frankfurt-linode-01 + # Containers - path_regex: secrets\/containers\/rdesktop\.yaml$ key_groups: diff --git a/nixos/hosts/framework-server/fail2ban/traefik.nix b/nixos/hosts/framework-server/fail2ban/traefik.nix index 9a134e56..95793b49 100644 --- a/nixos/hosts/framework-server/fail2ban/traefik.nix +++ b/nixos/hosts/framework-server/fail2ban/traefik.nix @@ -39,11 +39,11 @@ "fail2ban/action.d/action-ban-docker-forceful-browsing.conf".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' [Definition] - actionban = iptables -I DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: ' -j DROP - iptables -A INPUT -s -j DROP + actionban = ${pkgs.iptables}/bin/iptables -I DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: ' -j DROP + ${pkgs.iptables}/bin/iptables -A INPUT -s -j DROP - actionunban = iptables -D DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: ' -j DROP - iptables -D INPUT -s -j DROP + actionunban = ${pkgs.iptables}/bin/iptables -D DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: ' -j DROP + ${pkgs.iptables}/bin/iptables -D INPUT -s -j DROP ''); }; } diff --git a/nixos/hosts/frankfurt-linode-01/firewall.nix b/nixos/hosts/frankfurt-linode-01/firewall.nix index f9977caa..04037832 100644 --- a/nixos/hosts/frankfurt-linode-01/firewall.nix +++ b/nixos/hosts/frankfurt-linode-01/firewall.nix @@ -57,12 +57,13 @@ timeout connect 10s timeout client 30s timeout server 30s - maxconn 3000 + maxconn 30000 log global frontend http mode http bind :80 + option forwardfor default_backend backend_http frontend tcp @@ -71,6 +72,7 @@ bind :25565 bind :4443 bind :443 + option forwardfor default_backend backend_tcp frontend mail diff --git a/nixos/hosts/osaka-linode-01/firewall.nix b/nixos/hosts/osaka-linode-01/firewall.nix index f9977caa..d5250737 100644 --- a/nixos/hosts/osaka-linode-01/firewall.nix +++ b/nixos/hosts/osaka-linode-01/firewall.nix @@ -50,6 +50,30 @@ }; }; + + sops.secrets."cloudflare/api_key" = { + owner = "haproxy"; + sopsFile = ../../../secrets/cloufdlare.yaml; + }; + + security.acme = { + enable = true; + defaults = { + keyType = "pem"; + group = "haproxy"; + reloadServices = [ "haproxy" ]; + email = "albert@sysctl.io"; + credentialFiles = { + CF_Token = "/var/run/secrets/cloudflare/api_key" + }; + }; + certs = { + "sysctl.io" = { + directory = "/haproxy/"; + }; + }; + }; + services.haproxy = { enable = true; config = '' @@ -63,13 +87,14 @@ frontend http mode http bind :80 + bind :443 ssl crt /haproxy + option forwardfor default_backend backend_http frontend tcp mode tcp bind :42420 bind :25565 - bind :4443 bind :443 default_backend backend_tcp @@ -81,6 +106,7 @@ bind :587 bind :993 bind :4190 + option forwardfor default_backend backend_mail backend backend_mail diff --git a/secrets/cloudflare.yaml b/secrets/cloudflare.yaml new file mode 100644 index 00000000..e701d4a6 --- /dev/null +++ b/secrets/cloudflare.yaml @@ -0,0 +1,32 @@ +api_key: ENC[AES256_GCM,data:qS4K1MeUqWmxMOCv5tHc+5+pqpS9kpt6LiVaEIlf7MfTiC+4,iv:FPSQ4AZu9Od6OwAZj+xrSrfOgjYkcOhyBzClWl7YdIM=,tag:MdcEiZfxMn4DhTzlF/VVbA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-08-05T12:15:34Z" + mac: ENC[AES256_GCM,data:1wKK0MlUj0ErqMOjkCtcNXpwHhwLUAsxq1Z3/5GrXtEhLOc66yUtlHW1/ZebbnipCBy6rPxGSu7gWSCGmUyapwCnKkONZBIJKE8NQ0MqYnrYPCi2ZKBcxhnaESFDoCSfgVucPPQWFbSZq21N7Z3R7M2iKIinJ522jM8Z0Ch7Yss=,iv:ckwxVUyH+ETnoVtdUpesTxzyfsshhCzSHiRacAGJ6/k=,tag:QCUvyOiwqUduTT4bM5h3qw==,type:str] + pgp: + - created_at: "2024-08-05T12:11:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAwAAAAAAAAAAAQ/6AroKLfY1wV9v3/tKSDwhDdctQF2Tg7zZZSU4VQekthft + 4r+TzI9FDBIfQb1YVhT5dWWMytPH8n4yQllD8HzH1rVaT0F1aNnXskNqTT5IQSbJ + Pp5n7mywrOpi3tkPbp1w1UDoWSyA5wZXUizMdkbGDyOv+IsA4Gyx9tT6UTqUzwJW + Ayu8JuX28BzOg3CZtKRGvyRgSTfOih56vTXZwAfOcwZce3Rk6dw4sOTlQbkTwWBr + IHjCVPQM1DNCy/M2JMLYFtuaN1dHs5QULyg2vWLbWHHS5eKHQnwdZBnm0zH/22VP + ORjvEMT5ADPq3uzyXVAshEbnBgjTANWG5GpdjnscdXEjyCF7GoFAX2Hve2WkIwTS + SNvTO0Jt4f8U6mT9GPGSE9vMYfq/FFF3HA2QzzA9+ZmElXcrn1stHdtF74D/FGk0 + zPC9pZt9GBgSsG+BX1gZ6McXSD1NPhClXbohS/dqA2aU/rDcBmMXoOtWsqNoFbjV + gUrV8CeW6TsjbzpsoXG0hbzQLUM0O2EGKFC3N3NyQK6rqm70xxey2YjsbMMWT0+n + pCURqrOsGjkXKpSutuDmIjL6KEzbhaElaw4pgOJxNvZNgHlxYmct+gY33Ib/ATYf + lvzLocYSuDVjxB/rryDP8+pmFZeLjH7/lUsy0E9d1VThJQwIOnZFrAK1UP0ISQvS + XAGnOK4Y7gYOBsCCRckTaoERIYwkHP+wEZJpk0+T+U+RFIrmw6vly3R9GYHrgQJk + SBkvo7r9ghxZWj0HHGHlUQTpQaj9jZslOHXiIad/feaaZcJ6sWOaCN5wUxwE + =BgOp + -----END PGP MESSAGE----- + fp: 4A89D6B44B7E423B647C7AE848FBC3335A26DED6 + unencrypted_suffix: _unencrypted + version: 3.8.1