gortium/infra
1
1
Fork 0
Code Issues 13 Pull Requests 21 Actions Packages Projects 1 Releases Wiki Activity
125 Commits 45 Branches 0 Tags
878fdb836b6bd4def22d54e6b597f4c81203d905
Commit Graph

36 Commits

Author SHA1 Message Date
Hermes
878fdb836b feat: add worldmonitor compose stack (int) 2026-05-31 11:23:36 -04:00
Hermes
96bc20ab70 feat: add Syncthing firewall port and update compose submodule 2026-05-14 21:36:26 -04:00
Robert
23fc5e0597 Give a little more ssh room for tramp 2026-05-13 12:41:09 -04:00
Hermes Agent
c53460c400 fix: remove dns option from wireguard config (not a valid nixos option) 2026-05-05 03:26:44 +00:00
Robert
ee96593e3d Merge branch 'feat/wireguard-vpn' of ssh://code.lazyworkhorse.net:2222/gortium/infra into feat/wireguard-vpn 2026-05-04 23:22:35 -04:00
Robert
5935747902 Security fixes 2026-05-04 23:20:57 -04:00
Hermes Agent
5c481d664a fix: split tunnel on host VPN - only route 10.8.0.0/24 2026-05-05 02:41:29 +00:00
Hermes Agent
94a7c7195a fix: remove exposed keys from comments 2026-05-05 02:12:55 +00:00
Hermes Agent
cf279c4fb0 feat: add host-level WireGuard client via networking.wireguard 
- Add wg0 interface config with agenix-managed secrets
- Revert compose submodule to remove NET_ADMIN from Hermes
- WireGuard runs at host level, all containers inherit the tunnel
 2026-05-05 02:11:41 +00:00
Hermes Agent
48245518a1 fix: load iptables kernel modules for WireGuard NAT 
wg-easy needs iptable_nat and iptable_filter to set up
masquerading for VPN traffic. These modules must be loaded
at boot for the container to access iptables.
 2026-05-05 01:17:14 +00:00
Hermes Agent
1673a56439 feat: add WireGuard VPN stack 
- Add vpn stack to services.dockerStacks
- Open UDP port 51820 for WireGuard protocol
- Update compose submodule to include vpn stack
 2026-05-04 22:49:06 +00:00
Hermes Agent
bcebf18676 fix: move filter into jail settings (NixOS submodule doesn't pass string filters) 2026-05-01 11:59:33 +00:00
Hermes Agent
0370d784a0 fix: http-botsearch logpath must be string, not list 2026-05-01 04:02:06 +00:00
Hermes Agent
260b2d2756 fix: restructure fail2ban jails per NixOS module - recidive in jails, settings attr, str bantime 2026-05-01 03:59:32 +00:00
Hermes Agent
2477acdfc7 fix: services.fail2ban top-level options - no findtime, maxretry lowercase 2026-05-01 03:57:21 +00:00
Hermes Agent
81c25d3f20 fix: use security.auditd instead of services.auditd 2026-05-01 03:55:09 +00:00
Hermes Agent
9b1f467db9 fix: remove invalid networking.firewall.defaultAllow option 2026-05-01 03:52:57 +00:00
Hermes Agent
65fa778b2b fix: add custom traefik fail2ban filters for http-auth and http-botsearch jails 2026-05-01 03:40:59 +00:00
Hermes Agent
7994aad8d8 security: harden lazyworkhorse with firewall, fail2ban, SSH hardening 
- Firewall (default deny):
  - Allow only essential ports: SSH(2424), Gitea(2222), HTTP(80), HTTPS(443)
  - Rate limit SSH (max 4 new connections/60s)
  - Rate limit HTTP/HTTPS (25/minute)
  - Drop invalid packets, log dropped packets

- Fail2ban (auto-ban attackers):
  - SSH jail: 3 strikes = 1 hour ban
  - HTTP auth failures: 5 strikes = 1 hour ban
  - HTTP scanning: 2 strikes = 2 hour ban
  - Recidive jail: repeat offenders = 1 week ban

- SSH hardening:
  - No root login
  - Max 3 auth tries, 5 sessions
  - 30s login grace time
  - No X11/TCP/agent forwarding
  - Verbose logging

- Kernel network hardening:
  - SYN flood protection (syncookies)
  - IP spoofing protection (rp_filter)
  - Disable source routing, redirects
  - Log martian packets
  - Connection tuning for high load

- Audit logging enabled

Ports commented for review (likely internal-only):
- 8000 (Portainer), 4242 (Coms), 5000/8087/8089 (TAK)
 2026-04-30 17:46:39 +00:00
Robert
8aa85e62e5 feat: add openclaw CLI to system packages 2026-04-04 17:23:15 -04:00
Robert
b9cf8a47f7 fix: set openclaw secret group to ai-worker 2026-04-04 17:15:24 -04:00
Robert
ce20fad4d3 fix: enable flake-self-attrs for lix compatibility 2026-04-04 16:54:10 -04:00
Robert
401b23ce46 feat: add openclaw node service and migrate to lix 
- Add headless openclaw node systemd service for host execution
- Migrate from nix to lix package manager
- Permit openclaw-2026.3.12 (insecure package warning)
- Use ai-worker user for node service
 2026-04-04 16:26:33 -04:00
Thierry Pouplier
13dbf18f67 Progress dump before ai agent 2026-04-04 04:57:47 -04:00
Thierry Pouplier
0845262c05 style: format Nix files after modifications 2026-01-01 14:32:17 -05:00
Thierry Pouplier
9531bff929 chore: enhance system configuration with hardware sensors, GPU support, and security 2026-01-01 02:25:11 -05:00
Thierry Pouplier
1210a44ecc Commented graphic drivers. longer janitor time. 2025-12-27 17:17:16 -05:00
Thierry Pouplier
f5b3a04378 Added amd driver, rocm 2025-08-31 20:23:43 -04:00
Thierry Pouplier
3497d93dcb Added a bootstrap key 2025-08-19 18:00:09 -04:00
Thierry Pouplier
955c3255a0 WIP on host ssh key. broken. 2025-08-17 17:26:59 -04:00
Thierry Pouplier
6b367a7c95 WIP on fan control 2025-08-15 21:15:59 -04:00
Thierry Pouplier
02155976ab Enable ssd health and zfs snapshot 2025-08-15 21:11:22 -04:00
Thierry Pouplier
911f3589a2 Used agenix to manage secrets, 4 services up, ssh 2025-08-08 17:00:47 -04:00
Thierry Pouplier
ac6c3688ef Some more work toward a modular config 2025-08-04 22:15:59 -04:00
Thierry Pouplier
94f0ce50ae Preparing to switch to flakes 2025-08-03 15:42:02 -04:00
Thierry Pouplier
b69b0853d3 Initial commit 2025-08-03 12:47:46 -04:00