diff --git a/hosts/trantor/fail2ban.nix b/hosts/trantor/fail2ban.nix deleted file mode 100644 index 4ef1bbc..0000000 --- a/hosts/trantor/fail2ban.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ config, pkgs, ... }: - -{ - services.fail2ban = { - enable = true; - maxretry = 5; - ignoreIP = [ - "127.0.0.0/8" - "::1" - "10.0.0.0/8" - "172.16.0.0/12" - "192.168.0.0/16" - "100.64.0.0/10" - ]; - - bantime = "1h"; - bantime-increment = { - enable = true; - multipliers = "1 2 4 8 16 32 64"; - maxtime = "10000h"; - overalljails = true; - }; - - jails.forgejo = { - settings = { - enabled = true; - filter = "forgejo"; - backend = "systemd"; - maxretry = 10; - findtime = "1h"; - bantime = "15m"; - }; - }; - }; - - # Custom fail2ban filter for Forgejo using systemd journal - environment.etc."fail2ban/filter.d/forgejo.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' - [Definition] - journalmatch = _SYSTEMD_UNIT=forgejo.service - failregex = Failed authentication attempt for .+ from :\d+: - ignoreregex = - ''); -} diff --git a/hosts/trantor/forgejo.nix b/hosts/trantor/forgejo.nix index 227bcb4..c11573e 100644 --- a/hosts/trantor/forgejo.nix +++ b/hosts/trantor/forgejo.nix @@ -9,50 +9,26 @@ let inherit (utils) mkNginxVHosts; in { - services = { - forgejo = { - enable = true; - repositoryRoot = "/data/forgejo"; - settings = { - session.COOKIE_SECURE = true; - server = { - PROTOCOL = "http+unix"; - DOMAIN = "git.baduhai.dev"; - ROOT_URL = "https://git.baduhai.dev"; - OFFLINE_MODE = true; # disable use of CDNs - SSH_DOMAIN = "baduhai.dev"; - }; - log.LEVEL = "Warn"; - mailer.ENABLED = false; - actions.ENABLED = false; - service.DISABLE_REGISTRATION = true; - oauth2_client = { - ENABLE_AUTO_REGISTRATION = true; - UPDATE_AVATAR = true; - ACCOUNT_LINKING = "login"; - USERNAME = "preferred_username"; - }; - }; - }; - nginx.virtualHosts = mkNginxVHosts { - domains."git.baduhai.dev".locations."/".proxyPass = - "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/"; - }; - fail2ban.jails.forgejo = { - settings = { - enabled = true; - filter = "forgejo"; - logpath = "${config.services.forgejo.stateDir}/log/forgejo.log"; - maxretry = 10; - findtime = "1h"; - bantime = "15m"; + services.forgejo = { + enable = true; + repositoryRoot = "/data/forgejo"; + settings = { + session.COOKIE_SECURE = true; + server = { + PROTOCOL = "http+unix"; + DOMAIN = "git.baduhai.dev"; + ROOT_URL = "https://git.baduhai.dev"; + OFFLINE_MODE = true; # disable use of CDNs + SSH_DOMAIN = "baduhai.dev"; }; + log.LEVEL = "Warn"; + mailer.ENABLED = false; + actions.ENABLED = false; }; }; - environment.etc."fail2ban/filter.d/forgejo.conf".text = '' - [Definition] - failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from - ignoreregex = - ''; + services.nginx.virtualHosts = mkNginxVHosts { + domains."git.baduhai.dev".locations."/".proxyPass = + "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/"; + }; } diff --git a/hosts/trantor/openssh.nix b/hosts/trantor/openssh.nix deleted file mode 100644 index 51d8795..0000000 --- a/hosts/trantor/openssh.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ ... }: - -{ - services = { - openssh = { - settings = { - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; - }; - }; - fail2ban.jails.sshd = { - settings = { - enabled = true; - port = "ssh"; - filter = "sshd"; - logpath = "/var/log/auth.log"; - maxretry = 5; - findtime = "10m"; - bantime = "1h"; - }; - }; - }; -} diff --git a/secrets/forgejo-root-password.age b/secrets/forgejo-root-password.age deleted file mode 100644 index 90be612..0000000 Binary files a/secrets/forgejo-root-password.age and /dev/null differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index a90cd74..84b14d6 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -27,9 +27,4 @@ in rotterdam-user alexandria ]; - "forgejo-root-password.age".publicKeys = [ - io-user - rotterdam-user - trantor - ]; } diff --git a/shared/services.nix b/shared/services.nix index 44f9208..8870258 100644 --- a/shared/services.nix +++ b/shared/services.nix @@ -24,7 +24,6 @@ name = "forgejo"; domain = "git.baduhai.dev"; host = "trantor"; - public = true; tailscaleIP = "100.108.5.90"; port = 3000; } diff --git a/terranix/cloudflare/baduhai.dev.nix b/terranix/cloudflare/baduhai.dev.nix index 3a5e6ee..e69de29 100644 --- a/terranix/cloudflare/baduhai.dev.nix +++ b/terranix/cloudflare/baduhai.dev.nix @@ -1,102 +0,0 @@ -# Required environment variables: -# CLOUDFLARE_API_TOKEN - API token with "Edit zone DNS" permissions -# AWS_ACCESS_KEY_ID - Cloudflare R2 access key for state storage -# AWS_SECRET_ACCESS_KEY - Cloudflare R2 secret key for state storage - -{ config, lib, ... }: - -let - inherit (import ../../shared/services.nix) services; - - # Helper to extract subdomain from full domain (e.g., "git.baduhai.dev" -> "git") - getSubdomain = domain: lib.head (lib.splitString "." domain); - - # Generate DNS records for services - # Public services point to trantor's public IP - # Private services point to their tailscale IP - mkServiceRecords = lib.listToAttrs ( - lib.imap0 (i: svc: - let - subdomain = getSubdomain svc.domain; - targetIP = if svc.public or false - then config.data.terraform_remote_state.trantor "outputs.instance_public_ip" - else svc.tailscaleIP; - in { - name = "service_${toString i}"; - value = { - zone_id = config.variable.zone_id.default; - name = subdomain; - type = "A"; - content = targetIP; - proxied = false; - ttl = 3600; - }; - } - ) services - ); -in - -{ - terraform.required_providers.cloudflare = { - source = "cloudflare/cloudflare"; - version = "~> 5.0"; - }; - - terraform.backend.s3 = { - bucket = "terraform-state"; - key = "cloudflare/baduhai.dev.tfstate"; - region = "auto"; - endpoint = "https://fcdf920bde00c3d013ee541f984da70e.r2.cloudflarestorage.com"; - skip_credentials_validation = true; - skip_metadata_api_check = true; - skip_region_validation = true; - skip_requesting_account_id = true; - use_path_style = true; - }; - - variable = { - zone_id = { - default = "c63a8332fdddc4a8e5612ddc54557044"; - type = "string"; - }; - }; - - data = { - terraform_remote_state.trantor = { - backend = "s3"; - config = { - bucket = "terraform-state"; - key = "oci/trantor.tfstate"; - region = "auto"; - endpoint = "https://fcdf920bde00c3d013ee541f984da70e.r2.cloudflarestorage.com"; - skip_credentials_validation = true; - skip_metadata_api_check = true; - skip_region_validation = true; - skip_requesting_account_id = true; - use_path_style = true; - }; - }; - }; - - resource = { - cloudflare_dns_record = mkServiceRecords // { - root = { - zone_id = config.variable.zone_id.default; - name = "@"; - type = "A"; - content = config.data.terraform_remote_state.trantor "outputs.instance_public_ip"; - proxied = false; - ttl = 3600; - }; - - www = { - zone_id = config.variable.zone_id.default; - name = "www"; - type = "A"; - content = config.data.terraform_remote_state.trantor "outputs.instance_public_ip"; - proxied = false; - ttl = 3600; - }; - }; - }; -} diff --git a/terranix/oci/trantor.nix b/terranix/oci/trantor.nix index bb06585..2037d87 100644 --- a/terranix/oci/trantor.nix +++ b/terranix/oci/trantor.nix @@ -1,13 +1,3 @@ -# Required environment variables: -# instead of OCI variables, ~/.oci/config may also be used -# OCI_TENANCY_OCID - Oracle tenancy OCID (or use TF_VAR_* to override variables) -# OCI_USER_OCID - Oracle user OCID -# OCI_FINGERPRINT - API key fingerprint -# OCI_PRIVATE_KEY_PATH - Path to OCI API private key -# AWS variables are required -# AWS_ACCESS_KEY_ID - Cloudflare R2 access key for state storage -# AWS_SECRET_ACCESS_KEY - Cloudflare R2 secret key for state storage - { config, ... }: { diff --git a/terranix/tailscale/tailnet.nix b/terranix/tailscale/tailnet.nix index 929e79b..e69de29 100644 --- a/terranix/tailscale/tailnet.nix +++ b/terranix/tailscale/tailnet.nix @@ -1,43 +0,0 @@ -# Required environment variables: -# TAILSCALE_API_KEY - Tailscale API key with appropriate permissions -# TAILSCALE_TAILNET - Your tailnet name (e.g., "user@example.com" or "example.org.github") -# AWS_ACCESS_KEY_ID - Cloudflare R2 access key for state storage -# AWS_SECRET_ACCESS_KEY - Cloudflare R2 secret key for state storage - -{ config, ... }: - -{ - terraform.required_providers.tailscale = { - source = "tailscale/tailscale"; - version = "~> 0.17"; - }; - - terraform.backend.s3 = { - bucket = "terraform-state"; - key = "tailscale/tailnet.tfstate"; - region = "auto"; - endpoint = "https://fcdf920bde00c3d013ee541f984da70e.r2.cloudflarestorage.com"; - skip_credentials_validation = true; - skip_metadata_api_check = true; - skip_region_validation = true; - skip_requesting_account_id = true; - use_path_style = true; - }; - - variable = { - trantor_tailscale_ip = { - default = "100.108.5.90"; - type = "string"; - }; - }; - - resource = { - tailscale_dns_nameservers.global = { - nameservers = [ - config.variable.trantor_tailscale_ip.default - "1.1.1.1" - "1.0.0.1" - ]; - }; - }; -} diff --git a/terranixConfigurations.nix b/terranixConfigurations.nix index 12c90d1..fc84f17 100644 --- a/terranixConfigurations.nix +++ b/terranixConfigurations.nix @@ -14,14 +14,6 @@ modules = [ ./terranix/oci/trantor.nix ]; terraformWrapper.package = pkgs.opentofu; }; - cloudflare-baduhaidev = { - modules = [ ./terranix/cloudflare/baduhai.dev.nix ]; - terraformWrapper.package = pkgs.opentofu; - }; - tailscale-tailnet = { - modules = [ ./terranix/tailscale/tailnet.nix ]; - terraformWrapper.package = pkgs.opentofu; - }; }; }; }