Go to file

Bastian de Byl 9d562c7188 feat: smart zomboid traffic filtering with packet-size detection

Replace per-IP hashlimit with smarter filtering that distinguishes
legitimate players from scanner bots based on packet behavior:
- Players send varied packet sizes (53, 37, 1472 bytes)
- Scanners only send 53-byte query packets

New firewall rule chain:
- Priority 2: Mark + ACCEPT non-query packets (verifies player)
- Priority 3: ACCEPT queries from verified IPs (1 hour TTL)
- Priority 4: LOG rate-limited queries from unverified IPs
- Priority 5: DROP rate-limited queries (2 burst, then 1/hour)

Also includes:
- Fail2ban zomboid jail with tighter thresholds (5 retries/4h, 1w ban)
- Graylog streams for zomboid-connections, zomboid-ratelimit, fail2ban
- GeoIP pipeline enrichment for zomboid traffic
- Fluent-bit inputs for ratelimit logs and fail2ban events
- Remove Legendary Katana mod (Workshop 3418366499) - removed from Steam
- Bump Immich to v2.5.0
- Fix fulfillr config (nil → null)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-01-27 15:09:26 -05:00

.git-crypt

Initial working commit

2020-09-24 21:06:56 -04:00

.vscode

added sshpass_cron, updates, secrets

2023-07-21 17:54:58 -04:00

ansible

feat: smart zomboid traffic filtering with packet-size detection

2026-01-27 15:09:26 -05:00

scripts

graylog updates, test.debyl.io, scripts for reference

2026-01-13 16:08:38 -05:00

.drone.yml

add --list-files and specify config file for yamllint in ci

2023-07-24 15:32:21 -04:00

.gitattributes

added home-assistant container

2022-04-04 20:26:45 -04:00

.gitignore

bumped cloud versions, remove signup, venv improvements, ansible bump

2025-11-17 15:31:36 -05:00

.gitmodules

noticket - version bumps and github actions runner

2023-11-14 15:54:57 -05:00

.lint-vars.sh

Updated lint commands for CI

2020-09-25 14:22:54 -04:00

.pass.sh

Initial working commit

2020-09-24 21:06:56 -04:00

.yamllint.yml

updated fulfillr tag

2023-05-03 12:30:14 -04:00

ansible.cfg

moved ddns, partkeepr, hass to podman, selinux

2022-04-30 03:44:55 -04:00

CLAUDE.md

bumped cloud versions, remove signup, venv improvements, ansible bump

2025-11-17 15:31:36 -05:00

LICENSE

Added README and LICENSE files

2020-09-25 12:04:21 -04:00

Makefile

bumped cloud versions, remove signup, venv improvements, ansible bump

2025-11-17 15:31:36 -05:00

README.md

updated yamllint in ci

2023-07-24 15:25:47 -04:00

requirements.txt

bumped cloud versions, remove signup, venv improvements, ansible bump

2025-11-17 15:31:36 -05:00

TODO.md

Complete infrastructure migration from nginx + ModSecurity to Caddy

2025-09-11 20:38:45 -04:00

README.md

Deploy Home

There's no place like home!

Just as Dorothy managed the simple task of clicking her heels together, the desire for an equally simple one-button push deployment was in my heart. Thus, this repository was made.

Ansible

Ansible, along with double encrypted secrets, deploys the necessary configurations to make the home fit for certain needs and desires. Namely, having access to my home from anywhere, securely, and a self-hosted CI server that easily ties into existing workflows.

Makefile

The makefile is primarily used as a wrapper script to ensure that necessary files, such as the secret vault password file, are provisioned as part of this. One such addition to the task is utilizing dependency pinning through the utilization of Python's virtualenv to lock down the specific dependency versions within the requirements.txt file. This, ideally, prevents any deployment issues with dependency version woes (e.g. version conflicts, major updates in newest versions, etc.)

Target Name	Description
`lint`	(default) Runs `yamllint` and `ansible-lint` on all YAML files in `ansible/`
`deploy`	Deploys everything, or only tasks specified in `TAGS=` environment variable
`check`	Runs `deploy` in a "dry-run", showing diff-style outputs on tasks indicating changes
`vault`	Opens the Ansible vault file for editing