gortium/infra
1
1
Fork 0
Code Issues 13 Pull Requests 21 Actions Packages Projects 1 Releases Wiki Activity
57 Commits 45 Branches 0 Tags
81c25d3f205b535cbe87e0f5f478d639ef14170f
Commit Graph

22 Commits

Author SHA1 Message Date
Hermes Agent
81c25d3f20 fix: use security.auditd instead of services.auditd 2026-05-01 03:55:09 +00:00
Hermes Agent
9b1f467db9 fix: remove invalid networking.firewall.defaultAllow option 2026-05-01 03:52:57 +00:00
Hermes Agent
65fa778b2b fix: add custom traefik fail2ban filters for http-auth and http-botsearch jails 2026-05-01 03:40:59 +00:00
Hermes Agent
7994aad8d8 security: harden lazyworkhorse with firewall, fail2ban, SSH hardening 
- Firewall (default deny):
  - Allow only essential ports: SSH(2424), Gitea(2222), HTTP(80), HTTPS(443)
  - Rate limit SSH (max 4 new connections/60s)
  - Rate limit HTTP/HTTPS (25/minute)
  - Drop invalid packets, log dropped packets

- Fail2ban (auto-ban attackers):
  - SSH jail: 3 strikes = 1 hour ban
  - HTTP auth failures: 5 strikes = 1 hour ban
  - HTTP scanning: 2 strikes = 2 hour ban
  - Recidive jail: repeat offenders = 1 week ban

- SSH hardening:
  - No root login
  - Max 3 auth tries, 5 sessions
  - 30s login grace time
  - No X11/TCP/agent forwarding
  - Verbose logging

- Kernel network hardening:
  - SYN flood protection (syncookies)
  - IP spoofing protection (rp_filter)
  - Disable source routing, redirects
  - Log martian packets
  - Connection tuning for high load

- Audit logging enabled

Ports commented for review (likely internal-only):
- 8000 (Portainer), 4242 (Coms), 5000/8087/8089 (TAK)
 2026-04-30 17:46:39 +00:00
Robert
bc875ef9fb feat: isolate docker networks and add cyt-pi remote node config 
- Refactor all 12 compose stacks to use isolated networks with Traefik as the hub
- Add openclaw-ssh sidecar to ai stack for reverse tunneling (port 2425)
- Add sshnode entrypoint to Traefik configuration
- Add cyt-pi host configuration for Pi Zero 2 W (headless)
- Include kismet and target_detector_cli services for remote Wi-Fi monitoring
- Add reverse SSH tunnel service via autossh
 2026-04-06 19:14:57 -04:00
Robert
8aa85e62e5 feat: add openclaw CLI to system packages 2026-04-04 17:23:15 -04:00
Robert
b9cf8a47f7 fix: set openclaw secret group to ai-worker 2026-04-04 17:15:24 -04:00
Robert
ce20fad4d3 fix: enable flake-self-attrs for lix compatibility 2026-04-04 16:54:10 -04:00
Robert
401b23ce46 feat: add openclaw node service and migrate to lix 
- Add headless openclaw node systemd service for host execution
- Migrate from nix to lix package manager
- Permit openclaw-2026.3.12 (insecure package warning)
- Use ai-worker user for node service
 2026-04-04 16:26:33 -04:00
Thierry Pouplier
13dbf18f67 Progress dump before ai agent 2026-04-04 04:57:47 -04:00
Thierry Pouplier
0845262c05 style: format Nix files after modifications 2026-01-01 14:32:17 -05:00
Thierry Pouplier
9531bff929 chore: enhance system configuration with hardware sensors, GPU support, and security 2026-01-01 02:25:11 -05:00
Thierry Pouplier
1210a44ecc Commented graphic drivers. longer janitor time. 2025-12-27 17:17:16 -05:00
Thierry Pouplier
f5b3a04378 Added amd driver, rocm 2025-08-31 20:23:43 -04:00
Thierry Pouplier
3497d93dcb Added a bootstrap key 2025-08-19 18:00:09 -04:00
Thierry Pouplier
955c3255a0 WIP on host ssh key. broken. 2025-08-17 17:26:59 -04:00
Thierry Pouplier
6b367a7c95 WIP on fan control 2025-08-15 21:15:59 -04:00
Thierry Pouplier
02155976ab Enable ssd health and zfs snapshot 2025-08-15 21:11:22 -04:00
Thierry Pouplier
911f3589a2 Used agenix to manage secrets, 4 services up, ssh 2025-08-08 17:00:47 -04:00
Thierry Pouplier
ac6c3688ef Some more work toward a modular config 2025-08-04 22:15:59 -04:00
Thierry Pouplier
94f0ce50ae Preparing to switch to flakes 2025-08-03 15:42:02 -04:00
Thierry Pouplier
b69b0853d3 Initial commit 2025-08-03 12:47:46 -04:00