Add garden and updates.

hosts/hub/apps/dev.nix

@@ -66,10 +66,14 @@
           useHostResolvConf = lib.mkForce false;
         };
         services.resolved.enable = true;
+        environment.sessionVariables = {
+          PATH = [ "${pkgs.gitea}/bin" ];
+          GITEA_WORK_DIR = "/var/lib/gitea";
+        };
       };
     bindMounts = {
-      "/run/postgresql/.s.PGSQL.5432" = {
-        hostPath = "/run/postgresql/.s.PGSQL.5432";
+      "/run/postgresql" = {
+        hostPath = "/run/postgresql";
       };
     };
   };

hosts/hub/apps/nextcloud.nix

@@ -31,7 +31,7 @@
             package = pkgs.nextcloud30;
             configureRedis = true;
             maxUploadSize = "16G";
-            autoUpdateApps.enable = true;
+            # autoUpdateApps.enable = true;
             notify_push.enable = true;
             webfinger = true;
             settings = {
@@ -44,6 +44,7 @@
               dbhost = "/run/postgresql";
               adminpassFile = "/etc/nextcloud-admin-pass";
             };
+            phpOptions."opcache.interned_strings_buffer" = "23";
           };
           onlyoffice = {
             enable = true;
@@ -51,6 +52,7 @@
           };
           resolved.enable = true;
         };
+        programs.nix-ld.enable = true;
         networking = {
           firewall.allowedTCPPorts = [ 80 ];
           useHostResolvConf = lib.mkForce false;
@@ -62,11 +64,14 @@
         };
       };
     bindMounts = {
-      "/run/postgresql/.s.PGSQL.5432" = {
-        hostPath = "/run/postgresql/.s.PGSQL.5432";
+      "/run/postgresql" = {
+        hostPath = "/run/postgresql";
       };
     };
   };
 
-  services.caddy.virtualHosts."nextcloud.thewordnerd.info".extraConfig = ''reverse_proxy nextcloud'';
+  services.caddy.virtualHosts."nextcloud.thewordnerd.info".extraConfig = ''
+    reverse_proxy nextcloud
+    header Strict-Transport-Security max-age=31536000;
+  '';
 }

hosts/hub/default.nix

@@ -10,6 +10,7 @@
     ../../roles/zfs.nix
     ../../base.nix
     ../../users/root.nix
+    ../../roles/fail2ban.nix
     ../../roles/tailscale.nix
     ../../roles/lldap.nix
     ../../roles/authelia.nix
@@ -18,6 +19,7 @@
     ../../roles/caddy.nix
     ../../roles/vscode-remote.nix
     ../../roles/postgres.nix
+    ../../roles/syncthing.nix
     ./apps/dev.nix
     ./apps/nextcloud.nix
   ];
@@ -64,11 +66,6 @@
     acceptTerms = true;
     defaults.email = "nolan@thewordnerd.info";
     certs."thewordnerd.info" = {
-      domain = "*.thewordnerd.info";
-      dnsProvider = "cloudflare";
-      environmentFile = config.age.secrets.cloudflareApi.path;
-    };
-    certs."hub.thewordnerd.info" = {
       dnsProvider = "cloudflare";
       environmentFile = config.age.secrets.cloudflareApi.path;
     };
@@ -103,6 +100,15 @@
     };
   };
 
+  services.fail2ban.jails = {
+    dovecot.settings = {
+      filter = "dovecot[mode=aggressive]";
+    };
+    postfix.settings = {
+      filter = "postfix[mode=aggressive]";
+    };
+  };
+
   services.caddy.virtualHosts."users.thewordnerd.info".extraConfig =
     ''reverse_proxy localhost:17170'';
 
@@ -110,6 +116,22 @@
     reverse_proxy localhost:9091
   '';
 
+  services.authelia.instances.main.settings.access_control.rules = [
+    {
+      domain = "syncthing.thewordnerd.info";
+      policy = "one_factor";
+    }
+  ];
+
+  services.caddy.virtualHosts."syncthing.thewordnerd.info".extraConfig = ''
+    forward_auth localhost:9091 {
+      uri /api/authz/forward-auth
+    }
+    reverse_proxy localhost:8384 {
+      header_up Host {upstream_hostport}
+    }
+  '';
+
   services.caddy.virtualHosts."www.thewordnerd.info".extraConfig = ''
     file_server
     root * /var/www/thewordnerd.info