From a274ae5f031e60f1ac7ffc5078190222b8e4b80c Mon Sep 17 00:00:00 2001 From: Tigor Hutasuhut Date: Wed, 12 Jun 2024 20:25:30 +0700 Subject: [PATCH] homeserver: added firewall and podman --- options/default.nix | 8 +++++++- profiles/homeserver.nix | 2 ++ system/modules/default.nix | 1 + system/modules/networking.nix | 11 +++++++++-- system/modules/openssh.nix | 19 ++++--------------- 5 files changed, 23 insertions(+), 18 deletions(-) diff --git a/options/default.nix b/options/default.nix index ce2acf4..94cc523 100644 --- a/options/default.nix +++ b/options/default.nix @@ -45,7 +45,13 @@ flatpak.enable = lib.mkEnableOption "flatpak"; gnome.enable = lib.mkEnableOption "gnome"; kde.enable = lib.mkEnableOption "kde"; - networking.firewall.enable = lib.mkEnableOption "firewall"; + networking.firewall = { + enable = lib.mkEnableOption "firewall"; + allowedTCPPorts = lib.mkOption { + type = lib.types.listOf lib.types.int; + default = [ ]; + }; + }; printing.enable = lib.mkEnableOption "printing"; scanner.enable = lib.mkEnableOption "scanner"; steam.enable = lib.mkEnableOption "steam"; diff --git a/profiles/homeserver.nix b/profiles/homeserver.nix index ce71db9..341c110 100644 --- a/profiles/homeserver.nix +++ b/profiles/homeserver.nix @@ -22,5 +22,7 @@ }; openssh.enable = true; go.enable = true; + networking.firewall.enable = true; + networking.firewall.allowedTCPPorts = [ 80 443 ]; }; } diff --git a/system/modules/default.nix b/system/modules/default.nix index ead12f1..e829772 100644 --- a/system/modules/default.nix +++ b/system/modules/default.nix @@ -15,6 +15,7 @@ ./kde.nix ./networking.nix ./openssh.nix + ./podman.nix ./printing.nix ./scanner.nix ./sops.nix diff --git a/system/modules/networking.nix b/system/modules/networking.nix index c222252..672fdeb 100644 --- a/system/modules/networking.nix +++ b/system/modules/networking.nix @@ -1,8 +1,15 @@ -{ config, ... }: +{ config, lib, ... }: { networking.networkmanager.enable = true; networking.extraHosts = '' 192.168.50.217 gitlab.bareksa.com ''; - networking.firewall.enable = config.profile.networking.firewall.enable; + networking.firewall = + let + cfg = config.profile.networking.firewall; + in + { + enable = cfg.enable; + allowedTCPPorts = cfg.allowedTCPPorts; + }; } diff --git a/system/modules/openssh.nix b/system/modules/openssh.nix index c55cfb8..97f12b4 100644 --- a/system/modules/openssh.nix +++ b/system/modules/openssh.nix @@ -4,6 +4,9 @@ let in { config = lib.mkIf cfg.enable { + networking.firewall = { + allowedTCPPorts = lib.mkAfter [ 22 ]; + }; services.openssh = { enable = true; settings = { @@ -27,24 +30,10 @@ in bantime-increment = { enable = true; # Enable increment of bantime after each violation formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)"; - multipliers = "1 2 4 8 16 32 64"; + # multipliers = "1 2 4 8 16 32 64"; maxtime = "168h"; # Do not ban for more than 1 week overalljails = true; # Calculate the bantime based on all the violations }; - jails = { - apache-nohome-iptables.settings = { - # Block an IP address if it accesses a non-existent - # home directory more than 5 times in 10 minutes, - # since that indicates that it's scanning. - filter = "apache-nohome"; - action = ''iptables-multiport[name=HTTP, port="http,https"]''; - logpath = "/var/log/httpd/error_log*"; - backend = "auto"; - findtime = 600; - bantime = 600; - maxretry = 5; - }; - }; }; }; }