penal-colony/nixos-vps
2
0
Fork 1
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions
154 commits 3 branches 0 tags 363 KiB
Commit graph

12 commits

Author SHA1 Message Date
ashisgreat22
6b64254eab . 2026-03-22 01:45:51 +00:00
Franz Kafka
10d8924106 reapply Harrow branding + customDir via copyPathToStore 2026-03-20 22:18:45 +00:00
ashisgreat22
3598d5f2bf fix(nginx): add ACME webroot + fix multi-line CSP headers 
- Set security.acme.certs.*.webroot for Let's Encrypt challenges
- Consolidate multi-line Content-Security-Policy to single line
- Fixes build error: exactly one of dnsProvider/webroot/listenHTTP/s3Bucket is required

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-20 22:16:51 +00:00
Franz Kafka
3ecdafadf7 fix forgejo customDir: correct path + coerce to string 2026-03-20 21:53:37 +00:00
Franz Kafka
053a783772 brand forgejo as The Harrow 
- Set APP_NAME to The Harrow
- Set Kafkaesque description
- Add custom logo and favicon (needle + etched scratches, rusted red)
- Point customDir to custom/ for asset loading
 2026-03-20 21:52:54 +00:00
ashisgreat22
adb8ddb611 feat(security): expose internal services and DoH to public 
- Remove `internalOnly = true` flag from Vaultwarden, Forgejo, and AdGuard Home to make them publicly accessible again.

- This also re-exposes the DNS-over-HTTPS (DoH) endpoint on the AdGuard Home domain.
 2026-03-19 22:48:14 +01:00
ashisgreat22
f31ec2ce65 feat(security): restrict internal services to tailscale 
- Add `internalOnly` option to nginx module to block public access.

- Apply `internalOnly` flag to Forgejo and Vaultwarden to ensure they are only accessible over the VPN or localhost.
 2026-03-19 22:35:33 +01:00
Franz Kafka
fbea02867e feat(nginx): add security headers with per-domain CSP 
- Add HSTS (6 months, includeSubDomains, preload-ready)
- Add X-Content-Type-Options: nosniff
- Add Permissions-Policy (disable camera/mic/geolocation)
- Add Cross-Origin-Resource-Policy: same-origin
- Add Cross-Origin-Opener-Policy: same-origin
- Add configurable Content-Security-Policy per domain

Per-service CSP tuning:
- SearXNG: null (handles its own CSP in settings.yml)
- Forgejo: relaxed (unsafe-inline/eval for code highlighting)
- Vaultwarden: relaxed (unsafe-eval for WebCrypto vault)

Fixes: missing CSP, HSTS, X-Content-Type-Options headers
 2026-03-19 13:42:41 +00:00
ashisgreat22
837e71b69d Add Forgejo Actions Runner with sops secrets 2026-03-19 14:05:51 +01:00
ashisgreat22
f646c091cc Harden SSH and enable post-quantum key exchange (sntrup761x25519-sha512) for system and Forgejo 2026-03-19 00:05:12 +01:00
ashisgreat22
748ccc6fc8 Enable Forgejo built-in SSH server on port 2222 2026-03-18 23:49:02 +01:00
ashisgreat22
6e9de4c189 Add Forgejo self-hosted Git service with Nginx, PostgreSQL, and Restic backups 2026-03-18 23:32:01 +01:00