Initial commit

6 files changed, 182 insertions, 0 deletions

diff --git a/debian13/etc/fail2ban/jail.local b/debian13/etc/fail2ban/jail.local
new file mode 100644
index 0000000..2202c3e
--- /dev/null
+++ b/debian13/etc/fail2ban/jail.local
@@ -0,0 +1,107 @@
+# My personnal fail2ban jail config :)
+#
+# It's a really evil config, you should raise the value of
+# "maxretry" accross the file and lower bantime
+# to not block legitimate users (like you).
+#
+# For the "filters", see /etc/fail2ban/filters.d/
+# (these are files managed by Fail2Ban and your Package Manager)
+
+
+# Default values
+# They can be overriden by each subsections
+
+[DEFAULT]
+bantime = 24h
+findtime = 6h
+bantime.increment = true
+maxretry = 2
+action = iptables-allports
+backend = auto
+# ignoreip won't ban specified IP addresses
+# Put the local IPs of your network if desired
+# For example if they all start with 192.168.0
+ignoreip = 192.168.0.0/24
+
+# SSH
+# Enable it if you use SSH outside of your local network.
+
+[sshd]
+enabled = false
+port = ssh
+logpath = %(sshd_log)s
+maxretry = 3
+bantime = 3700
+findtime = 3600
+
+# Nginx configuration
+# On debian 13 (for now) the nginx filters don't work
+# if we don't define "backend = auto" (See [DEFAULT] section)
+# They also don't work without specifying the logpath
+
+[nginx-bad-request]
+enabled = true
+port = http,https
+logpath = /var/log/nginx/access.log
+filter = nginx-bad-request
+
+[nginx-botsearch]
+enabled = true
+port = http,https
+logpath = /var/log/nginx/access.log
+filter = nginx-botsearch
+
+# Only triggers if limit req is enabled in your nginx conf
+# See mine at etc/nginx/conf.d/antispam.conf
+# And the line in etc/nginx/sites-available/mielota.com
+[nginx-limit-req]
+enabled = true
+port = http,https
+log_path = /var/log/nginx/error.log
+filter = nginx-limit-req
+
+[nginx-forbidden]
+enabled = true
+port = http,https
+logpath = /var/log/nginx/access.log
+          /var/log/nginx/error.log
+filter = nginx-forbidden
+
+# [nginx-error-common]
+# enabled = true
+# port = http,https
+# logpath = /var/log/nginx/access.log
+#           /var/log/nginx/error.log
+# filter = nginx-error-common
+
+# [nginx-http-auth]
+# enabled = true
+# port = http,https
+# logpath = /var/log/nginx/access.log
+#           /var/log/nginx/error.log
+# filter = nginx-http-auth
+
+# EMAIL SERVER CONFIGURATION
+# HARDENED https://github.com/lukesmithxyz/emailwiz
+
+# If you used emailwiz.sh, the script created a file named
+# emailwiz.local in etc/fail2ban/jail.d/
+# Remove it if you are going to use the configuration below
+
+[postfix-sasl]
+enabled = true
+maxretry = 0
+
+[sieve]
+enabled = true
+maxretry = 0
+
+[postfix]
+enabled = true
+mode = aggressive
+maxretry = 0
+
+[dovecot]
+enabled = true
+mode = aggressive
+maxretry = 0
diff --git a/debian13/etc/nginx/conf.d/antispam.conf b/debian13/etc/nginx/conf.d/antispam.conf
new file mode 100644
index 0000000..2bbae91
--- /dev/null
+++ b/debian13/etc/nginx/conf.d/antispam.conf
@@ -0,0 +1 @@
+limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=1r/s;
diff --git a/debian13/etc/nginx/sites-available/dns.mielota.com b/debian13/etc/nginx/sites-available/dns.mielota.com
new file mode 100644
index 0000000..1bfb1b2
--- /dev/null
+++ b/debian13/etc/nginx/sites-available/dns.mielota.com
@@ -0,0 +1,10 @@
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name dns.mielota.com;
+
+    location / {
+        proxy_pass http://127.0.0.1:4000;
+    }
+}
diff --git a/debian13/etc/nginx/sites-available/mail.mielota.com b/debian13/etc/nginx/sites-available/mail.mielota.com
new file mode 100644
index 0000000..545deca
--- /dev/null
+++ b/debian13/etc/nginx/sites-available/mail.mielota.com
@@ -0,0 +1,10 @@
+server {
+    server_name mail.mielota.com;
+
+    listen 80;
+    listen [::]:80;
+
+    location / {
+        try_files $uri $uri/ =404;
+    }
+}
diff --git a/debian13/etc/nginx/sites-available/mielota.com b/debian13/etc/nginx/sites-available/mielota.com
new file mode 100644
index 0000000..6011611
--- /dev/null
+++ b/debian13/etc/nginx/sites-available/mielota.com
@@ -0,0 +1,38 @@
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name mielota.com;
+
+    # Limit requests
+    limit_req zone=req_limit_per_ip burst=5 nodelay;
+
+    root /var/www/mielota.com/public;
+    index index.html;
+
+    location ~* \.(?:jpg|jpeg|gif|png|ico|svg|webp)$ {
+        expires 1M;
+        access_log off;
+        add_header Cache-Control "max-age=2629746, public";
+    }
+    location ~* \.(?:css|js)$ {
+        expires 1y;
+        access_log off;
+        add_header Cache-Control "max-age=31556952, public";
+    }
+    gzip on;
+    gzip_min_length 1100;
+    gzip_buffers 4 32k;
+    gzip_types text/plain application/x-javascript text/xml text/css;
+    gzip_vary on;
+
+    # File not found ?
+    location / {
+        try_files $uri $uri/ =404;
+    }
+
+    # 404 custom page
+    error_page 404 /404.html;
+
+    rewrite ^/march.sh$ https://codeberg.org/mielota/dox/raw/branch/main/home/.local/bin/march.sh permanent;
+}
diff --git a/debian13/etc/systemd/system/blocky.service b/debian13/etc/systemd/system/blocky.service
new file mode 100644
index 0000000..8b5e46a
--- /dev/null
+++ b/debian13/etc/systemd/system/blocky.service
@@ -0,0 +1,16 @@
+[Unit]
+Description=Blocky DNS
+After=syslog.target
+After=network.target
+
+[Service]
+RestartSec=10s
+Type=simple
+User=blocky
+Group=blocky
+WorkingDirectory=/opt/blocky/
+ExecStart=/opt/blocky/blocky -c blocky.yml
+Restart=always
+
+[Install]
+WantedBy=multi-user.target