rope/nixos
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
737 commits 1 branch 0 tags 41 MiB
Commit graph

737 commits

This branch
This branch
All branches
Author SHA1 Message Date
ediblerope
549277ca0f flake: update inputs 2026-04-07 05:42:39 +00:00
ediblerope
39450ca786 Remove Suricata/ELK; add SSH key auth and disable password login 
Adds authorised keys for FredOS-Gaming and phone. Disables SSH password
authentication on FredOS-Mediaserver — key auth only going forward.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-06 21:48:08 +01:00
ediblerope
ddb208b95d Fix ELK: explicitly disable ES 8.x security on both containers 
ES 8.x enables security and enrollment by default. Adding
xpack.security.enrollment.enabled=false to Elasticsearch and
xpack.security.enabled=false to Kibana suppresses the enrollment
token screen and lets Kibana connect directly over HTTP.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-06 21:31:02 +01:00
ediblerope
699bbd9f9a Add ELK stack for Suricata log visualisation 
Elasticsearch + Kibana + Filebeat in Docker, bridged via an elk network.
Filebeat uses the Suricata module to parse eve.json and auto-installs
Kibana dashboards on first run. ES heap capped at 1g; Kibana Node heap
at 512m — total stack ~2-2.5 GB RAM.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-06 21:25:29 +01:00
ediblerope
43ce6b046f Fix Suricata: disable all DNP3/Modbus rules via regex pattern 
Individual SID exclusions weren't enough — there are many more rules for
these industrial SCADA protocols than initially identified. Switch to
regex-based disable patterns (re:modbus, re:dnp3) so suricata-update
strips all of them from the generated rules file.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-06 20:55:44 +01:00
ediblerope
d1ac7c6965 Disable Modbus Suricata rules that fail to parse 
Modbus protocol detection is disabled in the NixOS build; the 5 Modbus
SIDs (2250005-2250009) cause the config test to fail and crash-loop the
service. Disable them alongside the existing DNP3 exclusions.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-06 20:51:22 +01:00
ediblerope
b91b0ef234 Add Suricata IDS to FredOS-Mediaserver 
Passive network monitoring via af-packet on eno1. Rulesets auto-updated
from ET/Open, abuse.ch, and other community sources via suricata-update.
Runs alongside fail2ban; IPS/blocking mode can be enabled later.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-06 20:36:45 +01:00
ediblerope
2104de314e
Merge pull request #2 from ediblerope/claude/create-claude-md-Je6Ea 
fail2ban: fix bantime-increment option name (multipliers not multiplier)
 2026-04-06 09:36:21 +01:00
Claude
78bb64d9f2
fail2ban: fix bantime-increment option name (multipliers not multiplier) 
https://claude.ai/code/session_01PwAXuaoJx7qD5FhVLsn7Sn
 2026-04-06 08:35:15 +00:00
ediblerope
fbf817fff0
Merge pull request #1 from ediblerope/claude/create-claude-md-Je6Ea 
Claude/create claude md je6 ea
 2026-04-06 09:33:49 +01:00
Claude
6b432f3bc2
Remove CrowdSec — replaced by fail2ban 
https://claude.ai/code/session_01PwAXuaoJx7qD5FhVLsn7Sn
 2026-04-06 08:28:08 +00:00
Claude
4935d42e48
fail2ban: add jails for Sonarr, Radarr, Prowlarr, Bazarr, qBittorrent 
All services with openFirewall = true are now covered. The *arr suite
shares a single filter since they use the same logging codebase.

https://claude.ai/code/session_01PwAXuaoJx7qD5FhVLsn7Sn
 2026-04-06 08:24:18 +00:00
Claude
16363dc887
fail2ban: add jails for SSH, nginx proxy manager, and Jellyfin 
Replaces bare enable flag with a dedicated service module covering:
- SSH brute force via journald
- Nginx Proxy Manager auth failures via Docker log files
- Jellyfin auth failures via journald
Includes incremental ban times (up to 1 week) and LAN ignore rules.

https://claude.ai/code/session_01PwAXuaoJx7qD5FhVLsn7Sn
 2026-04-06 08:21:23 +00:00
Claude
f5bb08d7dd
crowdsec: switch to Docker container with native firewall bouncer 
Replaces the incomplete nixpkgs NixOS module with the official
CrowdSec Docker image for the LAPI, while keeping the firewall
bouncer as a native systemd service. API key is read from
/var/lib/secrets/crowdsec-bouncer-key at start time so it
never enters the Nix store.

https://claude.ai/code/session_01PwAXuaoJx7qD5FhVLsn7Sn
 2026-04-06 07:05:59 +00:00
Claude
f493d09c50
Add CrowdSec setup readme for Docker-based deployment 
Documents API key generation, storage, bouncer registration,
and useful cscli commands.

https://claude.ai/code/session_01PwAXuaoJx7qD5FhVLsn7Sn
 2026-04-06 07:00:50 +00:00
Claude
82d92d7c8f
Add CLAUDE.md with project context and nix eval guidance 
https://claude.ai/code/session_01PwAXuaoJx7qD5FhVLsn7Sn
 2026-04-06 06:53:19 +00:00
ediblerope
739c7ebc78 flake: update inputs 2026-04-06 05:54:30 +00:00
ediblerope
8b85956f7c Fix CrowdSec race: order crowdsec after tmpfiles-resetup 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-05 23:17:35 +01:00
ediblerope
9958198209 Fix CrowdSec: enable LAPI server and expose config.yaml for bouncer registration 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-05 23:12:45 +01:00
ediblerope
2b090f1a35 Fix CrowdSec bouncer api_url to resolve null coercion error 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-05 23:05:57 +01:00
ediblerope
509c4cc47d Add CrowdSec IPS with firewall bouncer on FredOS-Mediaserver 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-05 22:59:37 +01:00
ediblerope
3f8addd5bf Remove easyeffects from FredOS-Gaming packages 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-05 22:15:14 +01:00
ediblerope
488016aaed Add easyeffects to FredOS-Gaming packages 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-05 21:59:16 +01:00
ediblerope
742770300f
Update flake.lock 2026-04-05 11:25:55 +01:00
ediblerope
4b41511e39
Update common.nix 2026-04-05 11:21:25 +01:00
ediblerope
7085465350
Delete services/omnisearch.nix 2026-04-05 11:21:08 +01:00
ediblerope
8473d70c52
Update flake.nix 2026-04-05 11:20:36 +01:00
ediblerope
cde1bef064 flake: update inputs 2026-04-05 05:41:12 +00:00
ediblerope
4a952db006 Add CachyOS kernel (BORE scheduler) for FredOS-Gaming 2026-04-04 20:38:56 +01:00
ediblerope
e234f7734a flake: update inputs 2026-04-04 19:35:21 +00:00
ediblerope
66db7d34a4 flake: update inputs 2026-04-04 05:17:33 +00:00
ediblerope
9fe8e2946a flake: update inputs 2026-04-03 05:28:33 +00:00
ediblerope
35aa19ca9a flake: update inputs 2026-04-02 05:27:48 +00:00
ediblerope
0205ade5a2 flake: update inputs 2026-04-01 20:29:36 +00:00
ediblerope
93ea194da4 Reorganise hardware vs host config, tidy settings and services 2026-04-01 21:16:59 +01:00
ediblerope
effc4da3a6
2026-04-01 15:58:10 +01:00
ediblerope
c81bf4f54d
2026-04-01 14:15:38 +01:00
ediblerope
81d4bff052
2026-04-01 14:14:38 +01:00
ediblerope
91e96c8b4c flake: update inputs 2026-04-01 05:50:26 +00:00
ediblerope
4bcfd3d970
2026-03-31 14:20:45 +01:00
ediblerope
f709f014b0 flake: update inputs 2026-03-31 05:31:04 +00:00
ediblerope
901c9ee3b0
2026-03-30 21:43:15 +01:00
ediblerope
f256f145fd
2026-03-30 21:34:12 +01:00
ediblerope
e50696290c
2026-03-30 21:17:27 +01:00
ediblerope
c5a8722f1a
2026-03-30 20:49:30 +01:00
ediblerope
68bba376fb
2026-03-30 12:54:51 +01:00
ediblerope
cf9c94150b
2026-03-30 12:49:11 +01:00
ediblerope
1d2dfdb083
2026-03-30 12:47:38 +01:00
ediblerope
5b46971e0c flake: update inputs 2026-03-30 05:54:20 +00:00
ediblerope
5a2843b57b flake: update inputs 2026-03-29 19:28:14 +00:00