e798c2f16b
feat: add APC Back-UPS BVK1200M2 NUT configuration
...
Add power.ups module configuration for the APC Back-UPS BVK1200M2
connected via USB (vendor 051d, product 0002) in standalone mode.
- Driver: usbhid-ups with auto port detection
- upsd listening on localhost only
- upsmon configured as master for graceful shutdown
- Uses the built-in NixOS power.ups module
2026-05-25 00:15:58 -04:00
96bc20ab70
feat: add Syncthing firewall port and update compose submodule
2026-05-14 21:36:26 -04:00
Robert
23fc5e0597
Give a little more ssh room for tramp
2026-05-13 12:41:09 -04:00
c53460c400
fix: remove dns option from wireguard config (not a valid nixos option)
2026-05-05 03:26:44 +00:00
Robert
ee96593e3d
Merge branch 'feat/wireguard-vpn' of ssh://code.lazyworkhorse.net:2222/gortium/infra into feat/wireguard-vpn
2026-05-04 23:22:35 -04:00
Robert
5935747902
Security fixes
2026-05-04 23:20:57 -04:00
5c481d664a
fix: split tunnel on host VPN - only route 10.8.0.0/24
2026-05-05 02:41:29 +00:00
94a7c7195a
fix: remove exposed keys from comments
2026-05-05 02:12:55 +00:00
cf279c4fb0
feat: add host-level WireGuard client via networking.wireguard
...
- Add wg0 interface config with agenix-managed secrets
- Revert compose submodule to remove NET_ADMIN from Hermes
- WireGuard runs at host level, all containers inherit the tunnel
2026-05-05 02:11:41 +00:00
48245518a1
fix: load iptables kernel modules for WireGuard NAT
...
wg-easy needs iptable_nat and iptable_filter to set up
masquerading for VPN traffic. These modules must be loaded
at boot for the container to access iptables.
2026-05-05 01:17:14 +00:00
1673a56439
feat: add WireGuard VPN stack
...
- Add vpn stack to services.dockerStacks
- Open UDP port 51820 for WireGuard protocol
- Update compose submodule to include vpn stack
2026-05-04 22:49:06 +00:00
bcebf18676
fix: move filter into jail settings (NixOS submodule doesn't pass string filters)
2026-05-01 11:59:33 +00:00
0370d784a0
fix: http-botsearch logpath must be string, not list
2026-05-01 04:02:06 +00:00
260b2d2756
fix: restructure fail2ban jails per NixOS module - recidive in jails, settings attr, str bantime
2026-05-01 03:59:32 +00:00
2477acdfc7
fix: services.fail2ban top-level options - no findtime, maxretry lowercase
2026-05-01 03:57:21 +00:00
81c25d3f20
fix: use security.auditd instead of services.auditd
2026-05-01 03:55:09 +00:00
9b1f467db9
fix: remove invalid networking.firewall.defaultAllow option
2026-05-01 03:52:57 +00:00
65fa778b2b
fix: add custom traefik fail2ban filters for http-auth and http-botsearch jails
2026-05-01 03:40:59 +00:00
7994aad8d8
security: harden lazyworkhorse with firewall, fail2ban, SSH hardening
...
- Firewall (default deny):
- Allow only essential ports: SSH(2424), Gitea(2222), HTTP(80), HTTPS(443)
- Rate limit SSH (max 4 new connections/60s)
- Rate limit HTTP/HTTPS (25/minute)
- Drop invalid packets, log dropped packets
- Fail2ban (auto-ban attackers):
- SSH jail: 3 strikes = 1 hour ban
- HTTP auth failures: 5 strikes = 1 hour ban
- HTTP scanning: 2 strikes = 2 hour ban
- Recidive jail: repeat offenders = 1 week ban
- SSH hardening:
- No root login
- Max 3 auth tries, 5 sessions
- 30s login grace time
- No X11/TCP/agent forwarding
- Verbose logging
- Kernel network hardening:
- SYN flood protection (syncookies)
- IP spoofing protection (rp_filter)
- Disable source routing, redirects
- Log martian packets
- Connection tuning for high load
- Audit logging enabled
Ports commented for review (likely internal-only):
- 8000 (Portainer), 4242 (Coms), 5000/8087/8089 (TAK)
2026-04-30 17:46:39 +00:00
Robert
bc875ef9fb
feat: isolate docker networks and add cyt-pi remote node config
...
- Refactor all 12 compose stacks to use isolated networks with Traefik as the hub
- Add openclaw-ssh sidecar to ai stack for reverse tunneling (port 2425)
- Add sshnode entrypoint to Traefik configuration
- Add cyt-pi host configuration for Pi Zero 2 W (headless)
- Include kismet and target_detector_cli services for remote Wi-Fi monitoring
- Add reverse SSH tunnel service via autossh
2026-04-06 19:14:57 -04:00
Robert
8aa85e62e5
feat: add openclaw CLI to system packages
2026-04-04 17:23:15 -04:00
Robert
b9cf8a47f7
fix: set openclaw secret group to ai-worker
2026-04-04 17:15:24 -04:00
Robert
ce20fad4d3
fix: enable flake-self-attrs for lix compatibility
2026-04-04 16:54:10 -04:00
Robert
401b23ce46
feat: add openclaw node service and migrate to lix
...
- Add headless openclaw node systemd service for host execution
- Migrate from nix to lix package manager
- Permit openclaw-2026.3.12 (insecure package warning)
- Use ai-worker user for node service
2026-04-04 16:26:33 -04:00
13dbf18f67
Progress dump before ai agent
2026-04-04 04:57:47 -04:00
0845262c05
style: format Nix files after modifications
2026-01-01 14:32:17 -05:00
9531bff929
chore: enhance system configuration with hardware sensors, GPU support, and security
2026-01-01 02:25:11 -05:00
1210a44ecc
Commented graphic drivers. longer janitor time.
2025-12-27 17:17:16 -05:00
f5b3a04378
Added amd driver, rocm
2025-08-31 20:23:43 -04:00
3497d93dcb
Added a bootstrap key
2025-08-19 18:00:09 -04:00
955c3255a0
WIP on host ssh key. broken.
2025-08-17 17:26:59 -04:00
6b367a7c95
WIP on fan control
2025-08-15 21:15:59 -04:00
02155976ab
Enable ssd health and zfs snapshot
2025-08-15 21:11:22 -04:00
911f3589a2
Used agenix to manage secrets, 4 services up, ssh
2025-08-08 17:00:47 -04:00
ac6c3688ef
Some more work toward a modular config
2025-08-04 22:15:59 -04:00
94f0ce50ae
Preparing to switch to flakes
2025-08-03 15:42:02 -04:00
b69b0853d3
Initial commit
2025-08-03 12:47:46 -04:00
