Initial: Caddy, Stalwart, fail2ban, crontab, allowlist scripts

2026-02-23 23:20:49 +01:00 · 2026-02-23 23:20:49 +01:00 · 4f7283ca89
commit 4f7283ca89
12 changed files with 245 additions and 0 deletions
--- a/71
+++ b/71
@ -0,0 +1,71 @@
+# Global config
+{
+    log {
+        output file /var/log/caddy/access.log {
+            roll_size 100mb
+            roll_keep 5
+        }
+        format json
+    }
+}
+
+# Zurich infrastructure
+zurich.inou.com {
+    header {
+        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        X-Content-Type-Options "nosniff"
+        X-Frame-Options "SAMEORIGIN"
+        Referrer-Policy "strict-origin-when-cross-origin"
+        Permissions-Policy "geolocation=(), microphone=(), camera=()"
+        -Server
+    }
+    respond "inou security infrastructure" 200
+}
+
+ntfy.inou.com {
+    reverse_proxy 127.0.0.1:2586
+}
+
+kuma.inou.com {
+    log {
+        output file /var/log/caddy/kuma.log {
+            roll_size 50mb
+            roll_keep 5
+        }
+        format json
+    }
+    reverse_proxy 127.0.0.1:3001
+}
+
+vault.inou.com {
+    log {
+        output file /var/log/caddy/vault.log {
+            roll_size 50mb
+            roll_keep 5
+        }
+        format json
+    }
+    reverse_proxy 127.0.0.1:8080
+}
+
+mail.inou.com {
+    reverse_proxy 127.0.0.1:8880
+}
+
+mail.jongsma.me {
+    reverse_proxy 127.0.0.1:8880
+}
+
+harryhaasjes.nl, www.harryhaasjes.nl {
+    root * /var/www/harryhaasjes/public
+    file_server
+    encode gzip
+}
+
+stpetersburgaquatics.com, www.stpetersburgaquatics.com {
+    root * /var/www/stpetersburgaquatics/public
+    file_server
+    encode gzip
+}
+
+
--- a/crontab_root.txt
+++ b/crontab_root.txt
@ -0,0 +1,2 @@
+0 3 * * * /opt/vaultwarden/backup.sh >> /var/log/vaultwarden-backup.log 2>&1
+*/15 * * * * /usr/local/bin/stalwart-allowlist-sync.sh >> /var/log/stalwart-allowsync.log 2>&1
--- a/fail2ban/caddy-kuma.conf
+++ b/fail2ban/caddy-kuma.conf
@ -0,0 +1,4 @@
+[Definition]
+failregex = .*"remote_ip":"<HOST>".*"uri":"/api/login.*"status":40[13]
+            .*"client_ip":"<HOST>".*"uri":"/api/login.*"status":40[13]
+ignoreregex =
--- a/fail2ban/caddy-scanner.conf
+++ b/fail2ban/caddy-scanner.conf
@ -0,0 +1,4 @@
+[Definition]
+failregex = .*"remote_ip":"<HOST>".*"uri":".*(?:wp-admin|wp-login|\.env|\.git|phpmyadmin|phpinfo|xmlrpc|actuator|setup\.php|config\.php|admin\.php|shell|eval\(|\.aws|\.ssh).*"status":(?:400|403|404|405)
+            .*"client_ip":"<HOST>".*"uri":".*(?:wp-admin|wp-login|\.env|\.git|phpmyadmin|phpinfo|xmlrpc|actuator|setup\.php|config\.php|admin\.php|shell|eval\(|\.aws|\.ssh).*"status":(?:400|403|404|405)
+ignoreregex =
--- a/fail2ban/defaults-debian.conf
+++ b/fail2ban/defaults-debian.conf
@ -0,0 +1,7 @@
+[DEFAULT]
+banaction = nftables
+banaction_allports = nftables[type=allports]
+backend = systemd
+
+[sshd]
+enabled = true
--- a/fail2ban/jail.local
+++ b/fail2ban/jail.local
@ -0,0 +1,8 @@
+[sshd]
+enabled = true
+port = ssh
+filter = sshd
+logpath = /var/log/auth.log
+maxretry = 3
+bantime = 3600
+findtime = 600
--- a/fail2ban/stalwart.conf
+++ b/fail2ban/stalwart.conf
@ -0,0 +1,6 @@
+[Definition]
+# Match auth failures and too-many-attempts from Stalwart logs
+failregex = ^\S+ \S+ .*\(auth\.failed\).*remoteIp = <HOST>
+            ^\S+ \S+ .*\(auth\.too-many-attempts\).*remoteIp = <HOST>
+ignoreregex =
+datepattern = %%Y-%%m-%%dT%%H:%%M:%%SZ
--- a/fail2ban/vaultwarden.conf
+++ b/fail2ban/vaultwarden.conf
@ -0,0 +1,4 @@
+[Definition]
+failregex = .*"remote_ip":"<HOST>".*"uri":"/api/accounts/login.*"status":40[13]
+            .*"client_ip":"<HOST>".*"uri":"/api/accounts/login.*"status":40[13]
+ignoreregex =
--- a/stalwart-allowlist-sync.sh
+++ b/stalwart-allowlist-sync.sh
@ -0,0 +1,12 @@
+#!/bin/bash
+STATE_FILE=/var/lib/stalwart-allowsync/home-ip
+CURRENT_IP=47.197.93.62
+[ -z "$CURRENT_IP" ] && exit 1
+mkdir -p /var/lib/stalwart-allowsync
+LAST_IP=$(cat "$STATE_FILE" 2>/dev/null)
+[ "$CURRENT_IP" = "$LAST_IP" ] && exit 0
+echo "$(date -u): Home IP changed: $LAST_IP -> $CURRENT_IP"
+python3 /usr/local/bin/stalwart-update-allowip.py "$CURRENT_IP"
+/opt/stalwart/bin/stalwart-cli -u http://127.0.0.1:8880 -c admin:JamesAdmin2026x server reload-config > /dev/null
+echo "$CURRENT_IP" > "$STATE_FILE"
+echo Done.
--- a/stalwart-update-allowip.py
+++ b/stalwart-update-allowip.py
@ -0,0 +1,16 @@
+import sys, re
+new_ip = sys.argv[1]
+config_path = '/opt/stalwart/etc/config.toml'
+content = open(config_path).read()
+new_section = '[server.allowed-ip]\n"' + new_ip + '" = true\n'
+if '[server.allowed-ip]' in content:
+    content = re.sub(r'\[server\.allowed-ip\].*?(?=\n\[|\Z)', new_section, content, flags=re.DOTALL)
+else:
+    content = content.rstrip() + '\n\n' + new_section
+open(config_path, 'w').write(content)
+print(f'Updated allowed-ip to {new_ip}')
+
+# After writing config, commit to git
+import subprocess
+subprocess.run(['git', '-C', '/opt/stalwart/etc', 'add', 'config.toml'], capture_output=True)
+subprocess.run(['git', '-C', '/opt/stalwart/etc', 'commit', '-m', f'auto: allowed-ip updated to {new_ip}'], capture_output=True)
--- a/stalwart_config.toml
+++ b/stalwart_config.toml
@ -0,0 +1,83 @@
+[server.listener.smtp]
+bind = "[::]:25"
+protocol = "smtp"
+
+[server.listener.submission]
+bind = "[::]:587"
+protocol = "smtp"
+
+[server.listener.submissions]
+bind = "[::]:465"
+protocol = "smtp"
+tls.implicit = true
+
+[server.listener.imap]
+bind = "[::]:143"
+protocol = "imap"
+
+[server.listener.imaptls]
+bind = "[::]:993"
+protocol = "imap"
+tls.implicit = true
+
+[server.listener.pop3]
+bind = "[::]:110"
+protocol = "pop3"
+
+[server.listener.pop3s]
+bind = "[::]:995"
+protocol = "pop3"
+tls.implicit = true
+
+[server.listener.sieve]
+bind = "[::]:4190"
+protocol = "managesieve"
+
+[server.listener.https]
+protocol = "http"
+bind = "127.0.0.1:8443"
+tls.implicit = false
+
+[server.listener.http]
+protocol = "http"
+bind = "127.0.0.1:8880"
+
+[storage]
+data = "rocksdb"
+fts = "rocksdb"
+blob = "rocksdb"
+lookup = "rocksdb"
+directory = "internal"
+
+[store.rocksdb]
+type = "rocksdb"
+path = "/opt/stalwart/data"
+compression = "lz4"
+
+[directory.internal]
+type = "internal"
+store = "rocksdb"
+
+[tracer.log]
+type = "log"
+level = "info"
+path = "/opt/stalwart/logs"
+prefix = "stalwart.log"
+rotate = "daily"
+ansi = false
+enable = true
+
+[authentication.fallback-admin]
+user = "admin"
+secret = "$6$stalwartjames$OlCxhWXHNuO3Szh.HHPmjuh3oI/B0iCYjeERKqXSlpGHw40oHxVOd0IW9pJZn54QjA2Dbdlrin.SQRfZBG8pw1"
+
+[lookup.default]
+hostname = "mail.jongsma.me"
+
+[certificate.default]
+cert = "%{file:/etc/letsencrypt/live/mail.jongsma.me/fullchain.pem}%"
+private-key = "%{file:/etc/letsencrypt/live/mail.jongsma.me/privkey.pem}%"
+default = true
+
+[server.allowed-ip]
+"47.197.93.62" = true
--- a/vaultwarden_backup.sh
+++ b/vaultwarden_backup.sh
@ -0,0 +1,28 @@
+#!/bin/bash
+# Vaultwarden daily backup
+BACKUP_DIR="/opt/vaultwarden/backups"
+DATA_DIR="/opt/vaultwarden/data"
+DATE=$(date +%Y-%m-%d)
+BACKUP_FILE="$BACKUP_DIR/vaultwarden-$DATE.tar.gz.gpg"
+
+mkdir -p "$BACKUP_DIR"
+
+# Stop container briefly for consistent backup
+docker stop vaultwarden
+sleep 2
+
+# Create encrypted backup (symmetric, passphrase from file)
+tar czf - -C /opt/vaultwarden data | gpg --batch --yes --symmetric --cipher-algo AES256 --passphrase-file /opt/vaultwarden/.backup_passphrase -o "$BACKUP_FILE"
+
+# Restart
+docker start vaultwarden
+
+# Upload to gdrive if rclone is configured
+if rclone listremotes 2>/dev/null | grep -q gdrive; then
+    rclone copy "$BACKUP_FILE" gdrive:backups/vaultwarden/
+fi
+
+# Retain only last 30 days
+find "$BACKUP_DIR" -name "vaultwarden-*.tar.gz.gpg" -mtime +30 -delete
+
+echo "Backup complete: $BACKUP_FILE ($(du -h "$BACKUP_FILE" | cut -f1))"