Commit graph

69 commits

Author SHA1 Message Date
f88d224168
Allow only exposing services over Tailscale
This works using public DNS, so doesn't need Tailscale's magic DNS to override my local.
2024-03-07 22:30:10 +00:00
0dcc3f7c30
Use regular version of nginx on Arch
`nginx-mainline` requires modules be recompiled each time, and isn't handled automatically. It's still a very new and maintained release.
2024-02-29 19:46:32 +00:00
808e72553b
Add the basics of some edge caching 2024-02-21 21:42:16 +00:00
b6eca40ae0
Allow tailscale IP in more places 2024-02-07 18:21:16 +00:00
dfa8328e7b
Move gateway logs to separate file 2024-01-31 21:06:19 +00:00
2ceeaf091d
Deploy headscale 2024-01-27 14:18:37 +00:00
92052a3d0a
Unify nginx configuration
This creates a simple base configuration skeleton, that other configuration can be easily loaded into.
2023-12-16 17:47:04 +00:00
5a0df92a6a
Disable ip_forward
I don't need P2P comms for this, so disable this for extra security.

I should add a proper firewall at some point...
2023-09-01 19:52:36 +01:00
da55e3fb5f
Fix references to home dir 2023-06-17 16:00:30 +01:00
2af9f8529d
Fix new ansible-lint errors
Quite a few changes here, hopefully they work!
2023-06-15 15:16:19 +01:00
f07b5d9b7b
Migrate include: to include_tasks 2022-01-22 20:21:32 +00:00
188b7c9dd6
Install wireguard tools before provisioning config 2022-01-21 20:29:34 +00:00
1db289b604
Show domain in logs rather than upstream
The upstream is always the same, and no use to us
2022-01-19 09:00:20 +00:00
c5215e330b
Update yamllint to fix dependency issue
I think this still validates everything we need it to
2022-01-11 20:51:12 +00:00
4db474034e
Ignore my VMs from a fail2ban 2021-09-27 14:49:56 +01:00
a278443850
Use auto on nginx configs
Let nginx work it out, and default to 1 per core
2021-09-04 22:41:30 +01:00
95216b32c4
Consolidate server blocks 2021-08-24 14:31:12 +01:00
ecb946bab4
Remove nginx version from headers 2021-08-23 16:12:34 +01:00
93cba46dd1
Redirect to HTTPS at the edge 2021-08-23 16:10:37 +01:00
a54d373526
Replace edge proxy with nginx
The config makes more sense, and it has more of the features I need, which will come later.
2021-08-22 22:35:09 +01:00
797c44a27d
Use proxy protocol v2
Apparently it's better for chaining, and may be faster anyway
2021-07-01 22:28:25 +01:00
3485f8e1f0
Actually version the ingress haproxy config 2021-06-12 17:32:47 +01:00
33fcf1a9e5
Fix matrix federation
Apparently this has been broken since like March...

It seems communication over port 8448 is required for server-to-server
comms, even if the client doesn't use it.
2021-06-12 17:32:47 +01:00
3c8d9fe940
Block all ports 2021-03-28 16:28:07 +01:00
4d218248fa
Remotely connect to fail2ban to do ports
Traefik can affect the edge, so blocks work there and prevent traffic hitting home network.
2021-03-28 16:06:36 +01:00
5084bfecdf
Ignore PVE interface from f2b jails 2021-03-24 22:35:28 +00:00
f7a0877e72
Exclude nebula from fail2ban 2021-02-14 11:39:01 +00:00
385917ba4e
Decrease find time
Hopefully reduce false-positive catches
2021-02-14 11:22:32 +00:00
c38ecfebd7
Update gateway to point to ingress instance 2021-01-09 18:17:54 +00:00
58879d2e1d
Ensure fail2ban and logrotate are available on all machines 2020-12-27 22:39:33 +00:00
5eb3870fbe
Set mode on fail2ban filter and jail 2020-10-24 12:10:54 +01:00
bedbb0f5f4
Fix service to restart 2020-10-16 19:16:42 +01:00
1930cc83e8
Use generic package module 2020-10-16 19:16:42 +01:00
b2e91d7d6d
Update haproxy fail2ban jail to use systemd for logs 2020-10-16 19:16:42 +01:00
4890c3d3e5
Revert "Remove fail2ban"
This reverts commit 1f0e33acc8.
2020-10-16 19:16:42 +01:00
29c9e14f62
Remove haproxy chroot
This is technically _slightly_ less secure, but means it logs to journald properly, so can be picked up by fail2ban in future
2020-10-05 11:10:29 +01:00
24d11deeae
Update ansible-lint
Required a lot of renaming :(
2020-09-26 17:53:47 +01:00
dd12b795b5
Remove pihole
Internal VPN server is working just perfectly instead
2020-06-24 18:46:13 +01:00
913ee4759f
Quote value to silence errors 2020-06-18 21:18:47 +01:00
600bc4bb58
Ensure sysctl change is persisted
See note in https://wiki.archlinux.org/index.php/Sysctl#Configuration
2020-05-16 16:15:58 +01:00
112e8ce985
Install some wireguard tools 2020-05-11 11:59:46 +01:00
5289206f14
Remove unnecessary quotes 2020-05-09 20:11:08 +01:00
1f0e33acc8
Remove fail2ban
Keeps getting hit by stats. I should fix that at some point
2020-05-09 20:09:36 +01:00
f3126e34b9
Update haproxy config for use on arch 2020-05-09 20:08:27 +01:00
059cb585db
Use OS-agnostic package install for haproxy 2020-05-09 20:08:14 +01:00
095c8c4562
Use sysctl to enable p2p comms 2020-05-09 20:07:19 +01:00
974e0e8467
Enable services
Not just during reload
2020-04-28 20:48:15 +01:00
051ec43769
wg-quick can't be reloaed
This might break things!
2020-04-26 12:05:45 +01:00
ff8beea3c4
Massively increase timeouts to prevent websocket issues 2020-04-17 23:04:20 +01:00
1da3ca95e7
Stop using unstable repos to install wireguard
It's in backports now, which is much easier to install from!
2020-04-17 09:08:10 +01:00