Tips-Of-Mine/infrastructure
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,606 Commits 15 Branches 0 Tags
33f9c544fd5ec7c07c548f3bffe78239c51f39b2
Commit Graph

69 Commits

Author SHA1 Message Date
Jake Howard
f88d224168 Allow only exposing services over Tailscale 
This works using public DNS, so doesn't need Tailscale's magic DNS to override my local.
 2024-03-07 22:30:10 +00:00
Jake Howard
0dcc3f7c30 Use regular version of nginx on Arch 
`nginx-mainline` requires modules be recompiled each time, and isn't handled automatically. It's still a very new and maintained release.
 2024-02-29 19:46:32 +00:00
Jake Howard
808e72553b Add the basics of some edge caching 2024-02-21 21:42:16 +00:00
Jake Howard
b6eca40ae0 Allow tailscale IP in more places 2024-02-07 18:21:16 +00:00
Jake Howard
dfa8328e7b Move gateway logs to separate file 2024-01-31 21:06:19 +00:00
Jake Howard
2ceeaf091d Deploy headscale 2024-01-27 14:18:37 +00:00
Jake Howard
92052a3d0a Unify nginx configuration 
This creates a simple base configuration skeleton, that other configuration can be easily loaded into.
 2023-12-16 17:47:04 +00:00
Jake Howard
5a0df92a6a Disable ip_forward 
I don't need P2P comms for this, so disable this for extra security.

I should add a proper firewall at some point...
 2023-09-01 19:52:36 +01:00
Jake Howard
da55e3fb5f Fix references to home dir 2023-06-17 16:00:30 +01:00
Jake Howard
2af9f8529d Fix new ansible-lint errors 
Quite a few changes here, hopefully they work!
 2023-06-15 15:16:19 +01:00
Jake Howard
f07b5d9b7b Migrate include: to include_tasks 2022-01-22 20:21:32 +00:00
Jake Howard
188b7c9dd6 Install wireguard tools before provisioning config 2022-01-21 20:29:34 +00:00
Jake Howard
1db289b604 Show domain in logs rather than upstream 
The upstream is always the same, and no use to us
 2022-01-19 09:00:20 +00:00
Jake Howard
c5215e330b Update yamllint to fix dependency issue 
I think this still validates everything we need it to
 2022-01-11 20:51:12 +00:00
Jake Howard
4db474034e Ignore my VMs from a fail2ban 2021-09-27 14:49:56 +01:00
Jake Howard
a278443850 Use auto on nginx configs 
Let nginx work it out, and default to 1 per core
 2021-09-04 22:41:30 +01:00
Jake Howard
95216b32c4 Consolidate server blocks 2021-08-24 14:31:12 +01:00
Jake Howard
ecb946bab4 Remove nginx version from headers 2021-08-23 16:12:34 +01:00
Jake Howard
93cba46dd1 Redirect to HTTPS at the edge 2021-08-23 16:10:37 +01:00
Jake Howard
a54d373526 Replace edge proxy with nginx 
The config makes more sense, and it has more of the features I need, which will come later.
 2021-08-22 22:35:09 +01:00
Jake Howard
797c44a27d Use proxy protocol v2 
Apparently it's better for chaining, and may be faster anyway
 2021-07-01 22:28:25 +01:00
Jake Howard
3485f8e1f0 Actually version the ingress haproxy config 2021-06-12 17:32:47 +01:00
Jake Howard
33fcf1a9e5 Fix matrix federation 
Apparently this has been broken since like March...

It seems communication over port 8448 is required for server-to-server
comms, even if the client doesn't use it.
 2021-06-12 17:32:47 +01:00
Jake Howard
3c8d9fe940 Block all ports 2021-03-28 16:28:07 +01:00
Jake Howard
4d218248fa Remotely connect to fail2ban to do ports 
Traefik can affect the edge, so blocks work there and prevent traffic hitting home network.
 2021-03-28 16:06:36 +01:00
Jake Howard
5084bfecdf Ignore PVE interface from f2b jails 2021-03-24 22:35:28 +00:00
Jake Howard
f7a0877e72 Exclude nebula from fail2ban 2021-02-14 11:39:01 +00:00
Jake Howard
385917ba4e Decrease find time 
Hopefully reduce false-positive catches
 2021-02-14 11:22:32 +00:00
Jake Howard
c38ecfebd7 Update gateway to point to ingress instance 2021-01-09 18:17:54 +00:00
Jake Howard
58879d2e1d Ensure fail2ban and logrotate are available on all machines 2020-12-27 22:39:33 +00:00
Jake Howard
5eb3870fbe Set mode on fail2ban filter and jail 2020-10-24 12:10:54 +01:00
Jake Howard
bedbb0f5f4 Fix service to restart 2020-10-16 19:16:42 +01:00
Jake Howard
1930cc83e8 Use generic package module 2020-10-16 19:16:42 +01:00
Jake Howard
b2e91d7d6d Update haproxy fail2ban jail to use systemd for logs 2020-10-16 19:16:42 +01:00
Jake Howard
4890c3d3e5 Revert "Remove fail2ban" 
This reverts commit 1f0e33acc8.
 2020-10-16 19:16:42 +01:00
Jake Howard
29c9e14f62 Remove haproxy chroot 
This is technically _slightly_ less secure, but means it logs to journald properly, so can be picked up by fail2ban in future
 2020-10-05 11:10:29 +01:00
Jake Howard
24d11deeae Update ansible-lint 
Required a lot of renaming :(
 2020-09-26 17:53:47 +01:00
Jake Howard
dd12b795b5 Remove pihole 
Internal VPN server is working just perfectly instead
 2020-06-24 18:46:13 +01:00
Jake Howard
913ee4759f Quote value to silence errors 2020-06-18 21:18:47 +01:00
Jake Howard
600bc4bb58 Ensure sysctl change is persisted 
See note in https://wiki.archlinux.org/index.php/Sysctl#Configuration
 2020-05-16 16:15:58 +01:00
Jake Howard
112e8ce985 Install some wireguard tools 2020-05-11 11:59:46 +01:00
Jake Howard
5289206f14 Remove unnecessary quotes 2020-05-09 20:11:08 +01:00
Jake Howard
1f0e33acc8 Remove fail2ban 
Keeps getting hit by stats. I should fix that at some point
 2020-05-09 20:09:36 +01:00
Jake Howard
f3126e34b9 Update haproxy config for use on arch 2020-05-09 20:08:27 +01:00
Jake Howard
059cb585db Use OS-agnostic package install for haproxy 2020-05-09 20:08:14 +01:00
Jake Howard
095c8c4562 Use sysctl to enable p2p comms 2020-05-09 20:07:19 +01:00
Jake Howard
974e0e8467 Enable services 
Not just during reload
 2020-04-28 20:48:15 +01:00
Jake Howard
051ec43769 wg-quick can't be reloaed 
This might break things!
 2020-04-26 12:05:45 +01:00
Jake Howard
ff8beea3c4 Massively increase timeouts to prevent websocket issues 2020-04-17 23:04:20 +01:00
Jake Howard
1da3ca95e7 Stop using unstable repos to install wireguard 
It's in backports now, which is much easier to install from!
 2020-04-17 09:08:10 +01:00