From 473b77616603d48b31f67c400122dd16dfa2d923 Mon Sep 17 00:00:00 2001 From: James Eversole Date: Tue, 10 Feb 2026 09:07:43 -0600 Subject: [PATCH] Add global rate limiting --- flake.lock | 476 +++++++++++++++++++++++++++++++-- flake.nix | 2 +- nix/application/containers.nix | 2 +- nix/application/headscale.nix | 2 +- nix/application/nginx.nix | 29 +- 5 files changed, 484 insertions(+), 27 deletions(-) diff --git a/flake.lock b/flake.lock index d87f92a..4e3fbc6 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1762618334, - "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=", + "lastModified": 1770165109, + "narHash": "sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I=", "owner": "ryantm", "repo": "agenix", - "rev": "fcdea223397448d35d9b31f798479227e80183f6", + "rev": "b027ee29d959fda4b60b57566d64c98a202e0feb", "type": "github" }, "original": { @@ -39,20 +39,174 @@ "type": "github" } }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_3": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_4": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "lix-2_92_3": { + "inputs": { + "flake-compat": "flake-compat_2", + "nix2container": "nix2container", + "nixpkgs": "nixpkgs", + "nixpkgs-regression": "nixpkgs-regression", + "pre-commit-hooks": "pre-commit-hooks" + }, + "locked": { + "lastModified": 1751237967, + "narHash": "sha256-iP2iUDxA99RcgQyZROs7bQw8pqxa1vFudRqjAIHg9Iw=", + "ref": "2.92.3", + "rev": "0d8d8e0b420a6ce30708bb2f8e14d7e489dd6c0c", + "revCount": 16677, + "type": "git", + "url": "https://git.lix.systems/lix-project/lix" + }, + "original": { + "ref": "2.92.3", + "type": "git", + "url": "https://git.lix.systems/lix-project/lix" + } + }, + "lix-2_93_3": { + "inputs": { + "flake-compat": "flake-compat_3", + "nix2container": "nix2container_2", + "nix_2_18": "nix_2_18", + "nixpkgs": "nixpkgs_3", + "nixpkgs-regression": "nixpkgs-regression_2", + "pre-commit-hooks": "pre-commit-hooks_2" + }, + "locked": { + "lastModified": 1753223228, + "narHash": "sha256-Oqw04eboDM8rrUgAXiT7w5F2uGrQdt8sGX+Mk6mVXZQ=", + "ref": "2.93.3", + "rev": "017e93ae637ce6dfc958001e5cdc2a3e0182be6f", + "revCount": 17882, + "type": "git", + "url": "https://git.lix.systems/lix-project/lix" + }, + "original": { + "ref": "2.93.3", + "type": "git", + "url": "https://git.lix.systems/lix-project/lix" + } + }, + "lix-2_94_0": { + "inputs": { + "flake-compat": "flake-compat_4", + "nix2container": "nix2container_3", + "nix_2_18": "nix_2_18_2", + "nixpkgs": "nixpkgs_5", + "nixpkgs-regression": "nixpkgs-regression_3", + "pre-commit-hooks": "pre-commit-hooks_3" + }, + "locked": { + "lastModified": 1763408539, + "narHash": "sha256-X6X3NhgLnpkgWUbLs0nLjusNx/el3L1EkVm6OHqY2z8=", + "ref": "2.94.0", + "rev": "43dc3b987fb47bd45ee7ed6967febac2595c468e", + "revCount": 18528, + "type": "git", + "url": "https://git.lix.systems/lix-project/lix" + }, + "original": { + "ref": "2.94.0", + "type": "git", + "url": "https://git.lix.systems/lix-project/lix" + } + }, + "lowdown-src": { + "flake": false, + "locked": { + "lastModified": 1633514407, + "narHash": "sha256-Dw32tiMjdK9t3ETl5fzGrutQTzh2rufgZV4A/BbxuD4=", + "owner": "kristapsdz", + "repo": "lowdown", + "rev": "d2c2b44ff6c27b936ec27358a2653caaef8f73b8", + "type": "github" + }, + "original": { + "owner": "kristapsdz", + "repo": "lowdown", + "type": "github" + } + }, + "lowdown-src_2": { + "flake": false, + "locked": { + "lastModified": 1633514407, + "narHash": "sha256-Dw32tiMjdK9t3ETl5fzGrutQTzh2rufgZV4A/BbxuD4=", + "owner": "kristapsdz", + "repo": "lowdown", + "rev": "d2c2b44ff6c27b936ec27358a2653caaef8f73b8", + "type": "github" + }, + "original": { + "owner": "kristapsdz", + "repo": "lowdown", + "type": "github" + } + }, "nix-serve-ng": { "inputs": { "flake-compat": "flake-compat", + "lix-2_92_3": "lix-2_92_3", + "lix-2_93_3": "lix-2_93_3", + "lix-2_94_0": "lix-2_94_0", "nixpkgs": [ "nixpkgs" ], "utils": "utils" }, "locked": { - "lastModified": 1763069480, - "narHash": "sha256-dbjGP/uD2WeGYf6A5CmLb6z5owleoYXybFbkTcWSvxA=", + "lastModified": 1765938481, + "narHash": "sha256-Pck7/jhaoYAUM9M0nWR/dwYEVwXXNP2bzB4+XtZBmno=", "owner": "aristanetworks", "repo": "nix-serve-ng", - "rev": "3b9c80f78501813b1a29c5b33a3ccc50a7506f0e", + "rev": "8ce0104efdf7f72e5a371bc48613084673b23cc0", "type": "github" }, "original": { @@ -61,28 +215,137 @@ "type": "github" } }, + "nix2container": { + "flake": false, + "locked": { + "lastModified": 1724996935, + "narHash": "sha256-njRK9vvZ1JJsP8oV2OgkBrpJhgQezI03S7gzskCcHos=", + "owner": "nlewo", + "repo": "nix2container", + "rev": "fa6bb0a1159f55d071ba99331355955ae30b3401", + "type": "github" + }, + "original": { + "owner": "nlewo", + "repo": "nix2container", + "type": "github" + } + }, + "nix2container_2": { + "flake": false, + "locked": { + "lastModified": 1724996935, + "narHash": "sha256-njRK9vvZ1JJsP8oV2OgkBrpJhgQezI03S7gzskCcHos=", + "owner": "nlewo", + "repo": "nix2container", + "rev": "fa6bb0a1159f55d071ba99331355955ae30b3401", + "type": "github" + }, + "original": { + "owner": "nlewo", + "repo": "nix2container", + "type": "github" + } + }, + "nix2container_3": { + "flake": false, + "locked": { + "lastModified": 1724996935, + "narHash": "sha256-njRK9vvZ1JJsP8oV2OgkBrpJhgQezI03S7gzskCcHos=", + "owner": "nlewo", + "repo": "nix2container", + "rev": "fa6bb0a1159f55d071ba99331355955ae30b3401", + "type": "github" + }, + "original": { + "owner": "nlewo", + "repo": "nix2container", + "type": "github" + } + }, + "nix_2_18": { + "inputs": { + "flake-compat": [ + "nix-serve-ng", + "lix-2_93_3", + "flake-compat" + ], + "lowdown-src": "lowdown-src", + "nixpkgs": "nixpkgs_2", + "nixpkgs-regression": [ + "nix-serve-ng", + "lix-2_93_3", + "nixpkgs-regression" + ] + }, + "locked": { + "lastModified": 1730375271, + "narHash": "sha256-RrOFlDGmRXcVRV2p2HqHGqvzGNyWoD0Dado/BNlJ1SI=", + "owner": "NixOS", + "repo": "nix", + "rev": "0f665ff6779454f2117dcc32e44380cda7f45523", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "2.18.9", + "repo": "nix", + "type": "github" + } + }, + "nix_2_18_2": { + "inputs": { + "flake-compat": [ + "nix-serve-ng", + "lix-2_94_0", + "flake-compat" + ], + "lowdown-src": "lowdown-src_2", + "nixpkgs": "nixpkgs_4", + "nixpkgs-regression": [ + "nix-serve-ng", + "lix-2_94_0", + "nixpkgs-regression" + ] + }, + "locked": { + "lastModified": 1730375271, + "narHash": "sha256-RrOFlDGmRXcVRV2p2HqHGqvzGNyWoD0Dado/BNlJ1SI=", + "owner": "NixOS", + "repo": "nix", + "rev": "0f665ff6779454f2117dcc32e44380cda7f45523", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "2.18.9", + "repo": "nix", + "type": "github" + } + }, "nixpkgs": { "locked": { - "lastModified": 1763334038, - "narHash": "sha256-LBVOyaH6NFzQ3X/c6vfMZ9k4SV2ofhpxeL9YnhHNJQQ=", + "lastModified": 1733348545, + "narHash": "sha256-b4JrUmqT0vFNx42aEN9LTWOHomkTKL/ayLopflVf81U=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4c8cdd5b1a630e8f72c9dd9bf582b1afb3127d2c", + "rev": "9ecb50d2fae8680be74c08bb0a995c5383747f89", "type": "github" }, "original": { - "id": "nixpkgs", - "ref": "nixos-25.05", - "type": "indirect" + "owner": "NixOS", + "ref": "nixos-24.11-small", + "repo": "nixpkgs", + "type": "github" } }, "nixpkgs-lib": { "locked": { - "lastModified": 1761765539, - "narHash": "sha256-b0yj6kfvO8ApcSE+QmA6mUfu8IYG6/uU28OFn4PaC8M=", + "lastModified": 1769909678, + "narHash": "sha256-cBEymOf4/o3FD5AZnzC3J9hLbiZ+QDT/KDuyHXVJOpM=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "719359f4562934ae99f5443f20aa06c2ffff91fc", + "rev": "72716169fe93074c333e8d0173151350670b824c", "type": "github" }, "original": { @@ -91,16 +354,143 @@ "type": "github" } }, + "nixpkgs-regression": { + "locked": { + "lastModified": 1643052045, + "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", + "type": "github" + } + }, + "nixpkgs-regression_2": { + "locked": { + "lastModified": 1643052045, + "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", + "type": "github" + } + }, + "nixpkgs-regression_3": { + "locked": { + "lastModified": 1643052045, + "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1705033721, + "narHash": "sha256-K5eJHmL1/kev6WuqyqqbS1cdNnSidIZ3jeqJ7GbrYnQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a1982c92d8980a0114372973cbdfe0a307f1bdea", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.05-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1749522908, + "narHash": "sha256-eWANkhWXFL1MmaxzsZ9bhLCNT8OVs7CC+OXaSDGlA8A=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e5cb99555c45a13dcc5f1317462238530b0066b7", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-25.05-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_4": { + "locked": { + "lastModified": 1705033721, + "narHash": "sha256-K5eJHmL1/kev6WuqyqqbS1cdNnSidIZ3jeqJ7GbrYnQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a1982c92d8980a0114372973cbdfe0a307f1bdea", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.05-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_5": { + "locked": { + "lastModified": 1757198069, + "narHash": "sha256-m3VUcOD4rTs8J7S+3dOjWMrAjw6RcITC3XYQ98zhEFs=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "0747026fc57ecb9c28901c7f7a2b5dc40e8af43c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-25.05-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_6": { + "locked": { + "lastModified": 1770136044, + "narHash": "sha256-tlFqNG/uzz2++aAmn4v8J0vAkV3z7XngeIIB3rM3650=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e576e3c9cf9bad747afcddd9e34f51d18c855b4e", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-25.11", + "type": "indirect" + } + }, "parts": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1762980239, - "narHash": "sha256-8oNVE8TrD19ulHinjaqONf9QWCKK+w4url56cdStMpM=", + "lastModified": 1769996383, + "narHash": "sha256-AnYjnFWgS49RlqX7LrC4uA+sCCDBj0Ry/WOJ5XWAsa0=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "52a2caecc898d0b46b2b905f058ccc5081f842da", + "rev": "57928607ea566b5db3ad13af0e57e921e6b12381", "type": "github" }, "original": { @@ -109,11 +499,59 @@ "type": "github" } }, + "pre-commit-hooks": { + "flake": false, + "locked": { + "lastModified": 1733318908, + "narHash": "sha256-SVQVsbafSM1dJ4fpgyBqLZ+Lft+jcQuMtEL3lQWx2Sk=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "6f4e2a2112050951a314d2733a994fbab94864c6", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, + "pre-commit-hooks_2": { + "flake": false, + "locked": { + "lastModified": 1733318908, + "narHash": "sha256-SVQVsbafSM1dJ4fpgyBqLZ+Lft+jcQuMtEL3lQWx2Sk=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "6f4e2a2112050951a314d2733a994fbab94864c6", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, + "pre-commit-hooks_3": { + "flake": false, + "locked": { + "lastModified": 1733318908, + "narHash": "sha256-SVQVsbafSM1dJ4fpgyBqLZ+Lft+jcQuMtEL3lQWx2Sk=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "6f4e2a2112050951a314d2733a994fbab94864c6", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "agenix": "agenix", "nix-serve-ng": "nix-serve-ng", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_6", "parts": "parts" } }, diff --git a/flake.nix b/flake.nix index c99992a..28234a7 100644 --- a/flake.nix +++ b/flake.nix @@ -2,7 +2,7 @@ description = "eve-psr-nix0 - Home Server"; inputs = { - nixpkgs.url = "nixpkgs/nixos-25.05"; + nixpkgs.url = "nixpkgs/nixos-25.11"; agenix = { url = "github:ryantm/agenix"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/nix/application/containers.nix b/nix/application/containers.nix index ac70133..3631a71 100644 --- a/nix/application/containers.nix +++ b/nix/application/containers.nix @@ -146,7 +146,7 @@ }; vaultwarden = { - image = "vaultwarden/server:1.34.3"; + image = "vaultwarden/server:1.35.2"; ports = [ "40080:80" ]; volumes = [ "/home/sezycei/srv/containerdata/bitwarden/data:/data" diff --git a/nix/application/headscale.nix b/nix/application/headscale.nix index 2d17d43..8aa0fca 100644 --- a/nix/application/headscale.nix +++ b/nix/application/headscale.nix @@ -5,7 +5,7 @@ port = 35893; settings = { dns = { - base_domain = "vpn.matri.cx"; + base_domain = "ts.matri.cx"; nameservers.global = ["192.168.0.130" "1.1.1.1"]; }; logtail.enabled = false; diff --git a/nix/application/nginx.nix b/nix/application/nginx.nix index f7e0976..b6bb760 100644 --- a/nix/application/nginx.nix +++ b/nix/application/nginx.nix @@ -2,6 +2,18 @@ services.nginx = { enable = true; + appendHttpConfig = '' + log_format detailed '$remote_addr|||$remote_user|||$time_local|||' + '$request|||$status|||$body_bytes_sent|||' + '$http_referer|||$http_user_agent|||' + '$request_time|||$upstream_response_time|||' + '$http_x_forwarded_for|||$scheme|||$server_name'; + error_log stderr; + access_log syslog:server=unix:/dev/log detailed; + #limit_req_status 429; + #limit_req_zone $binary_remote_addr zone=pri:40m rate=1r/s; + ''; + recommendedProxySettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; @@ -15,13 +27,16 @@ }; static = { dir }: base { - "/".root = dir; + "/" = { + root = dir; + extraConfig = globalRateLimiting; + }; }; proxied = { target, extra ? "" }: base { "/" = { proxyPass = target; - extraConfig = extra; + extraConfig = globalRateLimiting + extra; }; }; @@ -29,14 +44,14 @@ "/" = { proxyPass = target; basicAuthFile = auth; - extraConfig = extra; + extraConfig = globalRateLimiting + extra; }; }; proxiedLAN = { target, extra ? ""}: base { "/" = { proxyPass = target; - extraConfig = allowedLANAddrs + extra; + extraConfig = globalRateLimiting + allowedLANAddrs + extra; }; }; @@ -46,6 +61,10 @@ allow 100.64.0.0/24; deny all; ''; + + globalRateLimiting = '' + #limit_req zone=pri burst=20 nodelay; + ''; in { "default.host" = { default = true; root = "/var/www/default";}; @@ -66,7 +85,7 @@ "git.eversole.co" = proxied { target = "http://127.0.0.1:8027"; }; "graf.matri.cx" = { # refer to /monitoring/nginx.nix root = "/var/www/graf.matri.cx"; - extraConfig = allowedLANAddrs; + extraConfig = globalRateLimiting + allowedLANAddrs; }; "home.matri.cx" = { forceSSL = true;