Update sops and haproxy configs

This commit is contained in:
albert 2024-08-05 21:16:28 +09:00
parent 9e29d53040
commit 0ea6dbbee8
Signed by: albert
GPG key ID: 3895DD267CA11BA9
5 changed files with 73 additions and 6 deletions

View file

@ -68,6 +68,13 @@ creation_rules:
- *warsaw-ovh-01 - *warsaw-ovh-01
- *nixos-desktop - *nixos-desktop
- path_regex: secrets\/cloudflare\.yaml$
key_groups:
- pgp:
- *albert
- *osaka-linode-01
- *frankfurt-linode-01
# Containers # Containers
- path_regex: secrets\/containers\/rdesktop\.yaml$ - path_regex: secrets\/containers\/rdesktop\.yaml$
key_groups: key_groups:

View file

@ -39,11 +39,11 @@
"fail2ban/action.d/action-ban-docker-forceful-browsing.conf".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' "fail2ban/action.d/action-ban-docker-forceful-browsing.conf".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[Definition] [Definition]
actionban = iptables -I DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP actionban = ${pkgs.iptables}/bin/iptables -I DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP
iptables -A INPUT -s <ip> -j DROP ${pkgs.iptables}/bin/iptables -A INPUT -s <ip> -j DROP
actionunban = iptables -D DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP actionunban = ${pkgs.iptables}/bin/iptables -D DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP
iptables -D INPUT -s <ip> -j DROP ${pkgs.iptables}/bin/iptables -D INPUT -s <ip> -j DROP
''); '');
}; };
} }

View file

@ -57,12 +57,13 @@
timeout connect 10s timeout connect 10s
timeout client 30s timeout client 30s
timeout server 30s timeout server 30s
maxconn 3000 maxconn 30000
log global log global
frontend http frontend http
mode http mode http
bind :80 bind :80
option forwardfor
default_backend backend_http default_backend backend_http
frontend tcp frontend tcp
@ -71,6 +72,7 @@
bind :25565 bind :25565
bind :4443 bind :4443
bind :443 bind :443
option forwardfor
default_backend backend_tcp default_backend backend_tcp
frontend mail frontend mail

View file

@ -50,6 +50,30 @@
}; };
}; };
sops.secrets."cloudflare/api_key" = {
owner = "haproxy";
sopsFile = ../../../secrets/cloufdlare.yaml;
};
security.acme = {
enable = true;
defaults = {
keyType = "pem";
group = "haproxy";
reloadServices = [ "haproxy" ];
email = "albert@sysctl.io";
credentialFiles = {
CF_Token = "/var/run/secrets/cloudflare/api_key"
};
};
certs = {
"sysctl.io" = {
directory = "/haproxy/";
};
};
};
services.haproxy = { services.haproxy = {
enable = true; enable = true;
config = '' config = ''
@ -63,13 +87,14 @@
frontend http frontend http
mode http mode http
bind :80 bind :80
bind :443 ssl crt /haproxy
option forwardfor
default_backend backend_http default_backend backend_http
frontend tcp frontend tcp
mode tcp mode tcp
bind :42420 bind :42420
bind :25565 bind :25565
bind :4443
bind :443 bind :443
default_backend backend_tcp default_backend backend_tcp
@ -81,6 +106,7 @@
bind :587 bind :587
bind :993 bind :993
bind :4190 bind :4190
option forwardfor
default_backend backend_mail default_backend backend_mail
backend backend_mail backend backend_mail

32
secrets/cloudflare.yaml Normal file
View file

@ -0,0 +1,32 @@
api_key: ENC[AES256_GCM,data:qS4K1MeUqWmxMOCv5tHc+5+pqpS9kpt6LiVaEIlf7MfTiC+4,iv:FPSQ4AZu9Od6OwAZj+xrSrfOgjYkcOhyBzClWl7YdIM=,tag:MdcEiZfxMn4DhTzlF/VVbA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2024-08-05T12:15:34Z"
mac: ENC[AES256_GCM,data:1wKK0MlUj0ErqMOjkCtcNXpwHhwLUAsxq1Z3/5GrXtEhLOc66yUtlHW1/ZebbnipCBy6rPxGSu7gWSCGmUyapwCnKkONZBIJKE8NQ0MqYnrYPCi2ZKBcxhnaESFDoCSfgVucPPQWFbSZq21N7Z3R7M2iKIinJ522jM8Z0Ch7Yss=,iv:ckwxVUyH+ETnoVtdUpesTxzyfsshhCzSHiRacAGJ6/k=,tag:QCUvyOiwqUduTT4bM5h3qw==,type:str]
pgp:
- created_at: "2024-08-05T12:11:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwAAAAAAAAAAAQ/6AroKLfY1wV9v3/tKSDwhDdctQF2Tg7zZZSU4VQekthft
4r+TzI9FDBIfQb1YVhT5dWWMytPH8n4yQllD8HzH1rVaT0F1aNnXskNqTT5IQSbJ
Pp5n7mywrOpi3tkPbp1w1UDoWSyA5wZXUizMdkbGDyOv+IsA4Gyx9tT6UTqUzwJW
Ayu8JuX28BzOg3CZtKRGvyRgSTfOih56vTXZwAfOcwZce3Rk6dw4sOTlQbkTwWBr
IHjCVPQM1DNCy/M2JMLYFtuaN1dHs5QULyg2vWLbWHHS5eKHQnwdZBnm0zH/22VP
ORjvEMT5ADPq3uzyXVAshEbnBgjTANWG5GpdjnscdXEjyCF7GoFAX2Hve2WkIwTS
SNvTO0Jt4f8U6mT9GPGSE9vMYfq/FFF3HA2QzzA9+ZmElXcrn1stHdtF74D/FGk0
zPC9pZt9GBgSsG+BX1gZ6McXSD1NPhClXbohS/dqA2aU/rDcBmMXoOtWsqNoFbjV
gUrV8CeW6TsjbzpsoXG0hbzQLUM0O2EGKFC3N3NyQK6rqm70xxey2YjsbMMWT0+n
pCURqrOsGjkXKpSutuDmIjL6KEzbhaElaw4pgOJxNvZNgHlxYmct+gY33Ib/ATYf
lvzLocYSuDVjxB/rryDP8+pmFZeLjH7/lUsy0E9d1VThJQwIOnZFrAK1UP0ISQvS
XAGnOK4Y7gYOBsCCRckTaoERIYwkHP+wEZJpk0+T+U+RFIrmw6vly3R9GYHrgQJk
SBkvo7r9ghxZWj0HHGHlUQTpQaj9jZslOHXiIad/feaaZcJ6sWOaCN5wUxwE
=BgOp
-----END PGP MESSAGE-----
fp: 4A89D6B44B7E423B647C7AE848FBC3335A26DED6
unencrypted_suffix: _unencrypted
version: 3.8.1