gortium/infra
1
1
Fork 0
Code Issues 13 Pull Requests 21 Actions Packages Projects 1 Releases Wiki Activity

Compare commits

base: gortium:feat/compose-submodule-v2
Branches Tags
gortium:master gortium:feat/worldmonitor gortium:feat/ups-config gortium:feat/rollback-sentinel-on-fresh-branch gortium:fix/honcho-vector-dim-empty gortium:fix/backup-submodule-update gortium:feat/restrict-docker-blacklist gortium:feat/restrict-docker-commands-for-ai-worker gortium:fix/hermes-matrix-deps-venv-persist gortium:feat/uconsole-cm5-v3 gortium:fix/update-compose-submodule-matrix-bridge gortium:feat/nix-deployment-v2 gortium:kvm-pr gortium:feat/nixos-ci-workflow gortium:kvm-pr-consolidate gortium:feat/hermes-workspace-combined gortium:feat/hyperspace-pods-module gortium:feat/hermes-workspace gortium:feat/hermes-workers gortium:feat/add-paperclip-agent-orchestrator gortium:feat/syncthing-org-sync gortium:fix/vpn-iptables-nft-v3 gortium:fix/vpn-iptables-nft-v2 gortium:fix/vpn-iptables-nft-upstream gortium:feat/nixos-ci gortium:feat/update-compose-submodule-custom-tools gortium:feat/kvm-libvirt gortium:fix/wg-easy-iptables-nft gortium:feat/compose-submodule-v2 gortium:feat/hermes-fork-dockerfile gortium:ai-worker-restricted-access gortium:feat/wireguard-vpn gortium:feat/k3s-pod-cluster gortium:feature/server-hardening-clean gortium:docs/merge-priority-order gortium:feat/hermes-voice-gpu-support gortium:feat/uconsole-cm5-v2 gortium:fix/matrix-bridge-v2 gortium:fix/backup-network-v2 gortium:feat/docker-add-qemu-cross-compilation gortium:feat/docker-add-latex-stack gortium:feat/docker-add-chromium-browser-deps gortium:feat/docker-add-curl-poppler-imagemagick gortium:feat/add-uconsole-host gortium:home_manager
...
compare: gortium:8bdd0e352a69e595307df636fb07eedaf3dbab0f
Branches Tags
gortium:feat/worldmonitor gortium:feat/ups-config gortium:feat/rollback-sentinel-on-fresh-branch gortium:fix/honcho-vector-dim-empty gortium:fix/backup-submodule-update gortium:feat/restrict-docker-blacklist gortium:feat/restrict-docker-commands-for-ai-worker gortium:fix/hermes-matrix-deps-venv-persist gortium:feat/uconsole-cm5-v3 gortium:fix/update-compose-submodule-matrix-bridge gortium:feat/nix-deployment-v2 gortium:kvm-pr gortium:feat/nixos-ci-workflow gortium:kvm-pr-consolidate gortium:feat/hermes-workspace-combined gortium:feat/hyperspace-pods-module gortium:feat/hermes-workspace gortium:feat/hermes-workers gortium:feat/add-paperclip-agent-orchestrator gortium:master gortium:feat/syncthing-org-sync gortium:fix/vpn-iptables-nft-v3 gortium:fix/vpn-iptables-nft-v2 gortium:fix/vpn-iptables-nft-upstream gortium:feat/nixos-ci gortium:feat/update-compose-submodule-custom-tools gortium:feat/kvm-libvirt gortium:fix/wg-easy-iptables-nft gortium:feat/compose-submodule-v2 gortium:feat/hermes-fork-dockerfile gortium:ai-worker-restricted-access gortium:feat/wireguard-vpn gortium:feat/k3s-pod-cluster gortium:feature/server-hardening-clean gortium:docs/merge-priority-order gortium:feat/hermes-voice-gpu-support gortium:feat/uconsole-cm5-v2 gortium:fix/matrix-bridge-v2 gortium:fix/backup-network-v2 gortium:feat/docker-add-qemu-cross-compilation gortium:feat/docker-add-latex-stack gortium:feat/docker-add-chromium-browser-deps gortium:feat/docker-add-curl-poppler-imagemagick gortium:feat/add-uconsole-host gortium:home_manager

3 Commits
feat/compo ... 8bdd0e352a

Author SHA1 Message Date
Hermes
8bdd0e352a fix: correct fail2ban options - use lower attr names, nested settings, proper types 2026-05-01 02:12:31 +00:00
Hermes
9291d83870 fix: services.auditd -> security.audit (correct NixOS option path) 2026-05-01 02:09:50 +00:00
Hermes
6999d50f35 fix: remove invalid networking.firewall.defaultAllow option - NixOS denies by default 2026-05-01 02:07:49 +00:00
1 changed files with 32 additions and 28 deletions
Expand all files Collapse all files

60
hosts/lazyworkhorse/configuration.nix
View File

@@ -316,7 +316,6 @@
networking.firewall = { networking.firewall = {
enable = true; enable = true;
allowPing = true; allowPing = true;
defaultAllow = false;
# Only essential ports exposed to internet # Only essential ports exposed to internet
allowedTCPPorts = [ allowedTCPPorts = [
@@ -356,50 +355,55 @@
# Fail2ban - automatic IP banning # Fail2ban - automatic IP banning
services.fail2ban = { services.fail2ban = {
enable = true; enable = true;
maxRetry = 3; maxretry = 3;
findtime = 600; bantime = "1h";
bantime = 3600;
banaction = "iptables-multiport"; banaction = "iptables-multiport";
# Ban repeat offenders for 1 week
recidive = {
enabled = true;
filter = "recidive";
logpath = "/var/log/fail2ban.log";
bantime = 604800;
findtime = 86400;
maxretry = 3;
};
jails = { jails = {
# Ban repeat offenders for 1 week
recidive = {
enabled = true;
filter = "recidive";
settings = {
logpath = "/var/log/fail2ban.log";
bantime = "1w";
findtime = "1d";
maxretry = 3;
};
};
# SSH brute force protection # SSH brute force protection
sshd = { sshd = {
enabled = true; enabled = true;
filter = "sshd"; settings = {
port = "2424"; port = "2424";
logpath = "/var/log/auth.log"; maxretry = 3;
maxretry = 3; bantime = "1h";
bantime = 3600; };
}; };
# HTTP authentication failures # HTTP authentication failures
http-auth = { http-auth = {
enabled = true; enabled = true;
filter = "apache-auth"; filter = "apache-auth";
port = "80,443"; settings = {
logpath = "/var/log/traefik/access.log"; port = "80,443";
maxretry = 5; logpath = "/var/log/traefik/access.log";
bantime = 3600; maxretry = 5;
bantime = "1h";
};
}; };
# HTTP scanning/attacks # HTTP scanning/attacks
http-botsearch = { http-botsearch = {
enabled = true; enabled = true;
filter = "apache-botsearch"; filter = "apache-botsearch";
port = "80,443"; settings = {
logpath = [ "/var/log/traefik/access.log" ]; port = "80,443";
maxretry = 2; logpath = "/var/log/traefik/access.log";
bantime = 7200; maxretry = 2;
bantime = "2h";
};
}; };
}; };
}; };
@@ -470,7 +474,7 @@
}; };
# Audit logging # Audit logging
services.auditd.enable = true; security.audit.enable = true;
# Fail2ban log directory # Fail2ban log directory
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [