Sanitized mirror from private repository - 2026-04-18 11:19:59 UTC

2026-04-18 11:19:59 +00:00
commit fb00a325d1
1418 changed files with 359990 additions and 0 deletions
--- a/hosts/vms/matrix-ubuntu/crowdsec.yaml
+++ b/hosts/vms/matrix-ubuntu/crowdsec.yaml
@@ -0,0 +1,63 @@
+# CrowdSec Security Stack - Intrusion Detection & Prevention
+# =============================================================================
+# Co-located with NPM on matrix-ubuntu for direct log access (no rsync needed).
+# CrowdSec engine (LAPI) parses NPM access/error logs and host syslog.
+# Blocking is handled by crowdsec-firewall-bouncer-nftables installed on the
+# host (not containerized) — drops packets at the network layer via nftables,
+# avoiding nginx auth_request conflicts with Authentik SSO.
+#
+# Ports: 8580 (LAPI), 6060 (Prometheus metrics)
+#
+# Setup steps after first deploy:
+#   1. Install firewall bouncer on host:
+#      curl -s https://install.crowdsec.net | sudo sh
+#      sudo apt install crowdsec-firewall-bouncer-nftables
+#   2. Generate bouncer API key:
+#      docker exec crowdsec cscli bouncers add firewall-bouncer
+#   3. Configure /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml:
+#      api_url: http://127.0.0.1:8580/
+#      api_key: <generated key>
+#      deny_log: true
+#   4. Start bouncer: sudo systemctl enable --now crowdsec-firewall-bouncer
+#   5. Enroll in CrowdSec console (optional):
+#      docker exec crowdsec cscli console enroll <key>
+#
+# Collections installed via COLLECTIONS env var:
+#   - crowdsecurity/nginx-proxy-manager — NPM log parser + scenarios
+#   - crowdsecurity/base-http-scenarios — generic HTTP attack detection
+#   - crowdsecurity/http-cve — known CVE exploit detection
+#   - crowdsecurity/linux — SSH brute force, etc.
+# =============================================================================
+
+services:
+  crowdsec:
+    image: crowdsecurity/crowdsec:latest
+    container_name: crowdsec
+    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    environment:
+      TZ: America/Los_Angeles
+      COLLECTIONS: >-
+        crowdsecurity/nginx-proxy-manager
+        crowdsecurity/base-http-scenarios
+        crowdsecurity/http-cve
+        crowdsecurity/linux
+      GID: "1000"
+      CROWDSEC_PROMETHEUS_LISTEN_ADDR: "0.0.0.0"
+      CROWDSEC_PROMETHEUS_LISTEN_PORT: "6060"
+    volumes:
+      - /opt/crowdsec/config:/etc/crowdsec
+      - /opt/crowdsec/data:/var/lib/crowdsec/data
+      # NPM logs — direct mount, same host
+      - /opt/npm/data/logs:/var/log/npm:ro
+      - /var/log:/var/log/host:ro
+    ports:
+      - "8580:8080"
+      - "6060:6060"
+    healthcheck:
+      test: ["CMD", "cscli", "version"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 30s
--- a/hosts/vms/matrix-ubuntu/docker-compose.livekit.yml
+++ b/hosts/vms/matrix-ubuntu/docker-compose.livekit.yml
@@ -0,0 +1,39 @@
+# LiveKit SFU + JWT service for MatrixRTC (Element X / Element Call)
+# Host: matrix-ubuntu (192.168.0.154 / 100.85.21.51)
+# Deploy path: /opt/livekit/
+#
+# Public endpoints (via NPM on Calypso -> livekit.mx.vish.gg):
+#   LiveKit SFU:    https://livekit.mx.vish.gg/livekit/sfu/
+#   JWT service:    https://livekit.mx.vish.gg/livekit/jwt/
+#   Healthcheck:    https://livekit.mx.vish.gg/livekit/jwt/healthz
+#
+# Announced via .well-known/matrix/client on mx.vish.gg:
+#   "org.matrix.msc4143.rtc_foci": [{"type":"livekit","livekit_service_url":"https://livekit.mx.vish.gg/livekit/jwt"}]
+#
+# NOTE: This compose file lives at /opt/livekit/docker-compose.yml on matrix-ubuntu
+# It is NOT deployed via Portainer GitOps — managed manually on the host.
+# Config file: /opt/livekit/livekit.yaml
+
+services:
+  livekit:
+    image: livekit/livekit-server:latest
+    container_name: livekit
+    command: --config /etc/livekit/livekit.yaml
+    volumes:
+      - /opt/livekit/livekit.yaml:/etc/livekit/livekit.yaml:ro
+    # network_mode: host — uses host networking for WebRTC NAT traversal
+    # Ports: 7880 (HTTP/WS), 7881 (RTC TCP), 50000-60000/udp (WebRTC media)
+    network_mode: host
+    restart: unless-stopped
+
+  lk-jwt-service:
+    image: ghcr.io/element-hq/lk-jwt-service:latest-ci
+    container_name: lk-jwt-service
+    environment:
+      - LIVEKIT_URL=wss://livekit.mx.vish.gg
+      - LIVEKIT_KEY=livekit_key
+      - LIVEKIT_SECRET=800649495d6b00e27fbafc71REDACTED_GITEA_TOKEN # pragma: allowlist secret
+      - LIVEKIT_FULL_ACCESS_HOMESERVERS=mx.vish.gg
+    ports:
+      - "8089:8080"
+    restart: unless-stopped
--- a/hosts/vms/matrix-ubuntu/livekit-config.yaml
+++ b/hosts/vms/matrix-ubuntu/livekit-config.yaml
@@ -0,0 +1,22 @@
+# LiveKit SFU configuration
+# Deployed at: /opt/livekit/livekit.yaml on matrix-ubuntu
+# Docs: https://docs.livekit.io/home/self-hosting/deployment/
+
+port: 7880
+rtc:
+  tcp_port: 7881
+  port_range_start: 50000
+  port_range_end: 60000
+  use_external_ip: true  # Auto-detects 184.23.52.14
+  use_ice_lite: true
+
+room:
+  auto_create: false  # Required — lk-jwt-service creates rooms for authorized users only
+
+keys:
+  # API key name: livekit_key
+  # Secret stored in livekit.yml docker-compose env var
+  livekit_key: 800649495d6b00e27fbafc71REDACTED_GITEA_TOKEN # pragma: allowlist secret
+
+logging:
+  level: info
--- a/hosts/vms/matrix-ubuntu/nginx-proxy-manager.yaml
+++ b/hosts/vms/matrix-ubuntu/nginx-proxy-manager.yaml
@@ -0,0 +1,22 @@
+# Nginx Proxy Manager — matrix-ubuntu VM
+# Reverse proxy for all homelab domains
+# Ports: 80 (HTTP), 443 (HTTPS), 81 (Admin UI)
+# URL: http://192.168.0.154:81 (admin)
+#
+# Migrated from Calypso 2026-03-20 to enable split-horizon DNS
+# (Synology nginx on Calypso occupied ports 80/443)
+
+services:
+  nginx-proxy-manager:
+    image: jc21/nginx-proxy-manager:latest
+    container_name: nginx-proxy-manager
+    ports:
+      - "80:80"
+      - "443:443"
+      - "81:81"
+    environment:
+      TZ: America/Los_Angeles
+    volumes:
+      - /opt/npm/data:/data
+      - /opt/npm/letsencrypt:/etc/letsencrypt
+    restart: unless-stopped