Update sops and haproxy configs
This commit is contained in:
parent
9e29d53040
commit
0ea6dbbee8
5 changed files with 73 additions and 6 deletions
|
@ -68,6 +68,13 @@ creation_rules:
|
|||
- *warsaw-ovh-01
|
||||
- *nixos-desktop
|
||||
|
||||
- path_regex: secrets\/cloudflare\.yaml$
|
||||
key_groups:
|
||||
- pgp:
|
||||
- *albert
|
||||
- *osaka-linode-01
|
||||
- *frankfurt-linode-01
|
||||
|
||||
# Containers
|
||||
- path_regex: secrets\/containers\/rdesktop\.yaml$
|
||||
key_groups:
|
||||
|
|
|
@ -39,11 +39,11 @@
|
|||
"fail2ban/action.d/action-ban-docker-forceful-browsing.conf".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
|
||||
[Definition]
|
||||
|
||||
actionban = iptables -I DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP
|
||||
iptables -A INPUT -s <ip> -j DROP
|
||||
actionban = ${pkgs.iptables}/bin/iptables -I DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP
|
||||
${pkgs.iptables}/bin/iptables -A INPUT -s <ip> -j DROP
|
||||
|
||||
actionunban = iptables -D DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP
|
||||
iptables -D INPUT -s <ip> -j DROP
|
||||
actionunban = ${pkgs.iptables}/bin/iptables -D DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP
|
||||
${pkgs.iptables}/bin/iptables -D INPUT -s <ip> -j DROP
|
||||
'');
|
||||
};
|
||||
}
|
||||
|
|
|
@ -57,12 +57,13 @@
|
|||
timeout connect 10s
|
||||
timeout client 30s
|
||||
timeout server 30s
|
||||
maxconn 3000
|
||||
maxconn 30000
|
||||
log global
|
||||
|
||||
frontend http
|
||||
mode http
|
||||
bind :80
|
||||
option forwardfor
|
||||
default_backend backend_http
|
||||
|
||||
frontend tcp
|
||||
|
@ -71,6 +72,7 @@
|
|||
bind :25565
|
||||
bind :4443
|
||||
bind :443
|
||||
option forwardfor
|
||||
default_backend backend_tcp
|
||||
|
||||
frontend mail
|
||||
|
|
|
@ -50,6 +50,30 @@
|
|||
};
|
||||
};
|
||||
|
||||
|
||||
sops.secrets."cloudflare/api_key" = {
|
||||
owner = "haproxy";
|
||||
sopsFile = ../../../secrets/cloufdlare.yaml;
|
||||
};
|
||||
|
||||
security.acme = {
|
||||
enable = true;
|
||||
defaults = {
|
||||
keyType = "pem";
|
||||
group = "haproxy";
|
||||
reloadServices = [ "haproxy" ];
|
||||
email = "albert@sysctl.io";
|
||||
credentialFiles = {
|
||||
CF_Token = "/var/run/secrets/cloudflare/api_key"
|
||||
};
|
||||
};
|
||||
certs = {
|
||||
"sysctl.io" = {
|
||||
directory = "/haproxy/";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.haproxy = {
|
||||
enable = true;
|
||||
config = ''
|
||||
|
@ -63,13 +87,14 @@
|
|||
frontend http
|
||||
mode http
|
||||
bind :80
|
||||
bind :443 ssl crt /haproxy
|
||||
option forwardfor
|
||||
default_backend backend_http
|
||||
|
||||
frontend tcp
|
||||
mode tcp
|
||||
bind :42420
|
||||
bind :25565
|
||||
bind :4443
|
||||
bind :443
|
||||
default_backend backend_tcp
|
||||
|
||||
|
@ -81,6 +106,7 @@
|
|||
bind :587
|
||||
bind :993
|
||||
bind :4190
|
||||
option forwardfor
|
||||
default_backend backend_mail
|
||||
|
||||
backend backend_mail
|
||||
|
|
32
secrets/cloudflare.yaml
Normal file
32
secrets/cloudflare.yaml
Normal file
|
@ -0,0 +1,32 @@
|
|||
api_key: ENC[AES256_GCM,data:qS4K1MeUqWmxMOCv5tHc+5+pqpS9kpt6LiVaEIlf7MfTiC+4,iv:FPSQ4AZu9Od6OwAZj+xrSrfOgjYkcOhyBzClWl7YdIM=,tag:MdcEiZfxMn4DhTzlF/VVbA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age: []
|
||||
lastmodified: "2024-08-05T12:15:34Z"
|
||||
mac: ENC[AES256_GCM,data:1wKK0MlUj0ErqMOjkCtcNXpwHhwLUAsxq1Z3/5GrXtEhLOc66yUtlHW1/ZebbnipCBy6rPxGSu7gWSCGmUyapwCnKkONZBIJKE8NQ0MqYnrYPCi2ZKBcxhnaESFDoCSfgVucPPQWFbSZq21N7Z3R7M2iKIinJ522jM8Z0Ch7Yss=,iv:ckwxVUyH+ETnoVtdUpesTxzyfsshhCzSHiRacAGJ6/k=,tag:QCUvyOiwqUduTT4bM5h3qw==,type:str]
|
||||
pgp:
|
||||
- created_at: "2024-08-05T12:11:22Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMAwAAAAAAAAAAAQ/6AroKLfY1wV9v3/tKSDwhDdctQF2Tg7zZZSU4VQekthft
|
||||
4r+TzI9FDBIfQb1YVhT5dWWMytPH8n4yQllD8HzH1rVaT0F1aNnXskNqTT5IQSbJ
|
||||
Pp5n7mywrOpi3tkPbp1w1UDoWSyA5wZXUizMdkbGDyOv+IsA4Gyx9tT6UTqUzwJW
|
||||
Ayu8JuX28BzOg3CZtKRGvyRgSTfOih56vTXZwAfOcwZce3Rk6dw4sOTlQbkTwWBr
|
||||
IHjCVPQM1DNCy/M2JMLYFtuaN1dHs5QULyg2vWLbWHHS5eKHQnwdZBnm0zH/22VP
|
||||
ORjvEMT5ADPq3uzyXVAshEbnBgjTANWG5GpdjnscdXEjyCF7GoFAX2Hve2WkIwTS
|
||||
SNvTO0Jt4f8U6mT9GPGSE9vMYfq/FFF3HA2QzzA9+ZmElXcrn1stHdtF74D/FGk0
|
||||
zPC9pZt9GBgSsG+BX1gZ6McXSD1NPhClXbohS/dqA2aU/rDcBmMXoOtWsqNoFbjV
|
||||
gUrV8CeW6TsjbzpsoXG0hbzQLUM0O2EGKFC3N3NyQK6rqm70xxey2YjsbMMWT0+n
|
||||
pCURqrOsGjkXKpSutuDmIjL6KEzbhaElaw4pgOJxNvZNgHlxYmct+gY33Ib/ATYf
|
||||
lvzLocYSuDVjxB/rryDP8+pmFZeLjH7/lUsy0E9d1VThJQwIOnZFrAK1UP0ISQvS
|
||||
XAGnOK4Y7gYOBsCCRckTaoERIYwkHP+wEZJpk0+T+U+RFIrmw6vly3R9GYHrgQJk
|
||||
SBkvo7r9ghxZWj0HHGHlUQTpQaj9jZslOHXiIad/feaaZcJ6sWOaCN5wUxwE
|
||||
=BgOp
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 4A89D6B44B7E423B647C7AE848FBC3335A26DED6
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
Loading…
Reference in a new issue