fireproof/nixos
1
0
Fork 0
mirror of https://github.com/nickolaj-jepsen/nixos.git synced 2026-01-22 08:06:50 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: add fail2ban and scrutiny

Browse source
This commit is contained in:
Nickolaj Jepsen 2026-01-20 23:41:10 +01:00
parent 4e8afa2dfc
commit d45f6a9359
6 changed files with 107 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

2
modules/homelab/default.nix
View file

@ -17,6 +17,8 @@
./prometheus.nix ./prometheus.nix
./qbittorrent.nix ./qbittorrent.nix
./restic.nix ./restic.nix
./scrutiny.nix
./security.nix
./sso.nix ./sso.nix
./vaultwarden.nix ./vaultwarden.nix
]; ];

12
modules/homelab/glance.nix
View file

@ -251,6 +251,18 @@ in {
icon = "sh:zitadel"; icon = "sh:zitadel";
same-tab = true; same-tab = true;
} }
{
title = "Scrutiny";
url = "https://scrutiny.nickolaj.com";
icon = "sh:scrutiny";
same-tab = true;
}
{
title = "Grafana";
url = "https://fireproof.grafana.net/a/grafana-setupguide-app/home";
icon = "si:grafana";
same-tab = true;
}
]; ];
} }
{ {

13
modules/homelab/nginx.nix
View file

@ -13,6 +13,19 @@ lib.mkIf config.fireproof.homelab.enable {
recommendedProxySettings = true; recommendedProxySettings = true;
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedBrotliSettings = true; recommendedBrotliSettings = true;
virtualHosts."status.localhost" = {
listen = [{ addr = "127.0.0.1"; port = 8070; }];
locations."/metrics" = {
extraConfig = ''
stub_status;
access_log off;
allow 127.0.0.1;
allow ::1;
deny all;
'';
};
};
}; };
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;

24
modules/homelab/prometheus.nix
View file

@ -14,7 +14,7 @@ lib.mkIf config.fireproof.homelab.enable (let
}; };
targets = [ targets = [
"${toString config.services.prometheus.exporters.${name}.listenAddress}:${toString config.services.prometheus.exporters.${name}.port}" "127.0.0.1:${toString config.services.prometheus.exporters.${name}.port}"
]; ];
} }
]; ];
@ -42,13 +42,25 @@ in {
scrapeConfigs = [ scrapeConfigs = [
(mkScrapeConfig "node") (mkScrapeConfig "node")
(mkScrapeConfig "nginx")
(mkScrapeConfig "postgres")
]; ];
exporters.node = { exporters = {
enable = true; node = {
extraFlags = [ enable = true;
"--web.disable-exporter-metrics" extraFlags = [
]; "--web.disable-exporter-metrics"
];
};
nginx = {
enable = true;
scrapeUri = "http://127.0.0.1:8070/metrics";
};
postgres = {
enable = true;
runAsLocalSuperUser = true;
};
}; };
}; };
}) })

26
modules/homelab/scrutiny.nix Normal file
View file

@ -0,0 +1,26 @@
{
config,
lib,
...
}:
lib.mkIf config.fireproof.homelab.enable {
services.restic.backups.homelab.paths = ["/var/lib/scrutiny"];
services.scrutiny = {
enable = true;
collector.enable = true;
settings = {
web.listen.port = 8089;
};
};
services.oauth2-proxy.nginx.virtualHosts."scrutiny.nickolaj.com".allowed_groups = ["admin"];
services.nginx.virtualHosts."scrutiny.nickolaj.com" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:8089";
};
};
}

36
modules/homelab/security.nix Normal file
View file

@ -0,0 +1,36 @@
{
config,
lib,
...
}:
lib.mkIf config.fireproof.homelab.enable {
services.fail2ban = {
enable = true;
maxretry = 5;
ignoreIP = [
"127.0.0.1/8"
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
];
jails = {
nginx-http-auth.settings = {
enabled = true;
filter = "nginx-http-auth";
port = "http,https";
logpath = "/var/log/nginx/error.log";
};
nginx-botsearch.settings = {
enabled = true;
filter = "nginx-botsearch";
port = "http,https";
logpath = "/var/log/nginx/error.log";
};
nginx-bad-request.settings = {
enabled = true;
port = "http,https";
logpath = "/var/log/nginx/error.log";
};
};
};
}