Update sops and haproxy configs
This commit is contained in:
parent
9e29d53040
commit
0ea6dbbee8
5 changed files with 73 additions and 6 deletions
|
@ -68,6 +68,13 @@ creation_rules:
|
||||||
- *warsaw-ovh-01
|
- *warsaw-ovh-01
|
||||||
- *nixos-desktop
|
- *nixos-desktop
|
||||||
|
|
||||||
|
- path_regex: secrets\/cloudflare\.yaml$
|
||||||
|
key_groups:
|
||||||
|
- pgp:
|
||||||
|
- *albert
|
||||||
|
- *osaka-linode-01
|
||||||
|
- *frankfurt-linode-01
|
||||||
|
|
||||||
# Containers
|
# Containers
|
||||||
- path_regex: secrets\/containers\/rdesktop\.yaml$
|
- path_regex: secrets\/containers\/rdesktop\.yaml$
|
||||||
key_groups:
|
key_groups:
|
||||||
|
|
|
@ -39,11 +39,11 @@
|
||||||
"fail2ban/action.d/action-ban-docker-forceful-browsing.conf".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
|
"fail2ban/action.d/action-ban-docker-forceful-browsing.conf".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
|
||||||
[Definition]
|
[Definition]
|
||||||
|
|
||||||
actionban = iptables -I DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP
|
actionban = ${pkgs.iptables}/bin/iptables -I DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP
|
||||||
iptables -A INPUT -s <ip> -j DROP
|
${pkgs.iptables}/bin/iptables -A INPUT -s <ip> -j DROP
|
||||||
|
|
||||||
actionunban = iptables -D DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP
|
actionunban = ${pkgs.iptables}/bin/iptables -D DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP
|
||||||
iptables -D INPUT -s <ip> -j DROP
|
${pkgs.iptables}/bin/iptables -D INPUT -s <ip> -j DROP
|
||||||
'');
|
'');
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -57,12 +57,13 @@
|
||||||
timeout connect 10s
|
timeout connect 10s
|
||||||
timeout client 30s
|
timeout client 30s
|
||||||
timeout server 30s
|
timeout server 30s
|
||||||
maxconn 3000
|
maxconn 30000
|
||||||
log global
|
log global
|
||||||
|
|
||||||
frontend http
|
frontend http
|
||||||
mode http
|
mode http
|
||||||
bind :80
|
bind :80
|
||||||
|
option forwardfor
|
||||||
default_backend backend_http
|
default_backend backend_http
|
||||||
|
|
||||||
frontend tcp
|
frontend tcp
|
||||||
|
@ -71,6 +72,7 @@
|
||||||
bind :25565
|
bind :25565
|
||||||
bind :4443
|
bind :4443
|
||||||
bind :443
|
bind :443
|
||||||
|
option forwardfor
|
||||||
default_backend backend_tcp
|
default_backend backend_tcp
|
||||||
|
|
||||||
frontend mail
|
frontend mail
|
||||||
|
|
|
@ -50,6 +50,30 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
sops.secrets."cloudflare/api_key" = {
|
||||||
|
owner = "haproxy";
|
||||||
|
sopsFile = ../../../secrets/cloufdlare.yaml;
|
||||||
|
};
|
||||||
|
|
||||||
|
security.acme = {
|
||||||
|
enable = true;
|
||||||
|
defaults = {
|
||||||
|
keyType = "pem";
|
||||||
|
group = "haproxy";
|
||||||
|
reloadServices = [ "haproxy" ];
|
||||||
|
email = "albert@sysctl.io";
|
||||||
|
credentialFiles = {
|
||||||
|
CF_Token = "/var/run/secrets/cloudflare/api_key"
|
||||||
|
};
|
||||||
|
};
|
||||||
|
certs = {
|
||||||
|
"sysctl.io" = {
|
||||||
|
directory = "/haproxy/";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
services.haproxy = {
|
services.haproxy = {
|
||||||
enable = true;
|
enable = true;
|
||||||
config = ''
|
config = ''
|
||||||
|
@ -63,13 +87,14 @@
|
||||||
frontend http
|
frontend http
|
||||||
mode http
|
mode http
|
||||||
bind :80
|
bind :80
|
||||||
|
bind :443 ssl crt /haproxy
|
||||||
|
option forwardfor
|
||||||
default_backend backend_http
|
default_backend backend_http
|
||||||
|
|
||||||
frontend tcp
|
frontend tcp
|
||||||
mode tcp
|
mode tcp
|
||||||
bind :42420
|
bind :42420
|
||||||
bind :25565
|
bind :25565
|
||||||
bind :4443
|
|
||||||
bind :443
|
bind :443
|
||||||
default_backend backend_tcp
|
default_backend backend_tcp
|
||||||
|
|
||||||
|
@ -81,6 +106,7 @@
|
||||||
bind :587
|
bind :587
|
||||||
bind :993
|
bind :993
|
||||||
bind :4190
|
bind :4190
|
||||||
|
option forwardfor
|
||||||
default_backend backend_mail
|
default_backend backend_mail
|
||||||
|
|
||||||
backend backend_mail
|
backend backend_mail
|
||||||
|
|
32
secrets/cloudflare.yaml
Normal file
32
secrets/cloudflare.yaml
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
api_key: ENC[AES256_GCM,data:qS4K1MeUqWmxMOCv5tHc+5+pqpS9kpt6LiVaEIlf7MfTiC+4,iv:FPSQ4AZu9Od6OwAZj+xrSrfOgjYkcOhyBzClWl7YdIM=,tag:MdcEiZfxMn4DhTzlF/VVbA==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age: []
|
||||||
|
lastmodified: "2024-08-05T12:15:34Z"
|
||||||
|
mac: ENC[AES256_GCM,data:1wKK0MlUj0ErqMOjkCtcNXpwHhwLUAsxq1Z3/5GrXtEhLOc66yUtlHW1/ZebbnipCBy6rPxGSu7gWSCGmUyapwCnKkONZBIJKE8NQ0MqYnrYPCi2ZKBcxhnaESFDoCSfgVucPPQWFbSZq21N7Z3R7M2iKIinJ522jM8Z0Ch7Yss=,iv:ckwxVUyH+ETnoVtdUpesTxzyfsshhCzSHiRacAGJ6/k=,tag:QCUvyOiwqUduTT4bM5h3qw==,type:str]
|
||||||
|
pgp:
|
||||||
|
- created_at: "2024-08-05T12:11:22Z"
|
||||||
|
enc: |-
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hQIMAwAAAAAAAAAAAQ/6AroKLfY1wV9v3/tKSDwhDdctQF2Tg7zZZSU4VQekthft
|
||||||
|
4r+TzI9FDBIfQb1YVhT5dWWMytPH8n4yQllD8HzH1rVaT0F1aNnXskNqTT5IQSbJ
|
||||||
|
Pp5n7mywrOpi3tkPbp1w1UDoWSyA5wZXUizMdkbGDyOv+IsA4Gyx9tT6UTqUzwJW
|
||||||
|
Ayu8JuX28BzOg3CZtKRGvyRgSTfOih56vTXZwAfOcwZce3Rk6dw4sOTlQbkTwWBr
|
||||||
|
IHjCVPQM1DNCy/M2JMLYFtuaN1dHs5QULyg2vWLbWHHS5eKHQnwdZBnm0zH/22VP
|
||||||
|
ORjvEMT5ADPq3uzyXVAshEbnBgjTANWG5GpdjnscdXEjyCF7GoFAX2Hve2WkIwTS
|
||||||
|
SNvTO0Jt4f8U6mT9GPGSE9vMYfq/FFF3HA2QzzA9+ZmElXcrn1stHdtF74D/FGk0
|
||||||
|
zPC9pZt9GBgSsG+BX1gZ6McXSD1NPhClXbohS/dqA2aU/rDcBmMXoOtWsqNoFbjV
|
||||||
|
gUrV8CeW6TsjbzpsoXG0hbzQLUM0O2EGKFC3N3NyQK6rqm70xxey2YjsbMMWT0+n
|
||||||
|
pCURqrOsGjkXKpSutuDmIjL6KEzbhaElaw4pgOJxNvZNgHlxYmct+gY33Ib/ATYf
|
||||||
|
lvzLocYSuDVjxB/rryDP8+pmFZeLjH7/lUsy0E9d1VThJQwIOnZFrAK1UP0ISQvS
|
||||||
|
XAGnOK4Y7gYOBsCCRckTaoERIYwkHP+wEZJpk0+T+U+RFIrmw6vly3R9GYHrgQJk
|
||||||
|
SBkvo7r9ghxZWj0HHGHlUQTpQaj9jZslOHXiIad/feaaZcJ6sWOaCN5wUxwE
|
||||||
|
=BgOp
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: 4A89D6B44B7E423B647C7AE848FBC3335A26DED6
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.8.1
|
Loading…
Reference in a new issue