- Configure fail2ban with progressive ban times (1h base, up to 10000h max)
- Add SSH jail with password authentication disabled
- Add Forgejo jail using systemd journal backend
- Ignore private networks and Tailscale IPs
- Set Forgejo to 10 retries per hour, 15min initial ban
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add OAuth2 client configuration to enable auto-registration via SSO
with Kanidm, while disabling direct public registration. Users can now
authenticate through the identity provider with automatic account
creation and avatar syncing.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Changed certificate generation from HTTP-01 to DNS-01 challenge to support
services behind Tailscale/CGNAT IPs. HTTP-01 challenges fail because Let's
Encrypt cannot reach private Tailscale IPs (100.x.x.x) that Cloudflare DNS
points to.
Changes:
- Pre-configure certificates in security.acme.certs using DNS-01 via Cloudflare
- Auto-generate certificate configs from shared/services.nix
- Alexandria: filters services with host == "alexandria"
- Trantor: filters services with host == "trantor"
- Updated mkNginxVHosts to use useACMEHost instead of enableACME
- Each domain gets its own certificate configured with DNS-01 challenge
This ensures all services get valid Let's Encrypt certificates even when
accessible only through Tailscale or private networks.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Migrated forgejo service and configuration to trantor. Added nginx reverse
proxy support on trantor with ACME configuration for SSL certificates.
Fixed vaultwarden domain in shared services from vault.baduhai.dev to
pass.baduhai.dev to match actual nginx configuration.
Alexandria's unbound now only serves LAN clients (192.168.0.0/16) and
returns LAN IPs for service domains.
Created new unbound instance on trantor to serve Tailscale clients
(100.64.0.0/10) and return tailscale IPs for service domains.
Both configurations pull service records from shared/services.nix.
