homeserver: added firewall and podman
This commit is contained in:
parent
ec7e115b54
commit
a274ae5f03
|
@ -45,7 +45,13 @@
|
||||||
flatpak.enable = lib.mkEnableOption "flatpak";
|
flatpak.enable = lib.mkEnableOption "flatpak";
|
||||||
gnome.enable = lib.mkEnableOption "gnome";
|
gnome.enable = lib.mkEnableOption "gnome";
|
||||||
kde.enable = lib.mkEnableOption "kde";
|
kde.enable = lib.mkEnableOption "kde";
|
||||||
networking.firewall.enable = lib.mkEnableOption "firewall";
|
networking.firewall = {
|
||||||
|
enable = lib.mkEnableOption "firewall";
|
||||||
|
allowedTCPPorts = lib.mkOption {
|
||||||
|
type = lib.types.listOf lib.types.int;
|
||||||
|
default = [ ];
|
||||||
|
};
|
||||||
|
};
|
||||||
printing.enable = lib.mkEnableOption "printing";
|
printing.enable = lib.mkEnableOption "printing";
|
||||||
scanner.enable = lib.mkEnableOption "scanner";
|
scanner.enable = lib.mkEnableOption "scanner";
|
||||||
steam.enable = lib.mkEnableOption "steam";
|
steam.enable = lib.mkEnableOption "steam";
|
||||||
|
|
|
@ -22,5 +22,7 @@
|
||||||
};
|
};
|
||||||
openssh.enable = true;
|
openssh.enable = true;
|
||||||
go.enable = true;
|
go.enable = true;
|
||||||
|
networking.firewall.enable = true;
|
||||||
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -15,6 +15,7 @@
|
||||||
./kde.nix
|
./kde.nix
|
||||||
./networking.nix
|
./networking.nix
|
||||||
./openssh.nix
|
./openssh.nix
|
||||||
|
./podman.nix
|
||||||
./printing.nix
|
./printing.nix
|
||||||
./scanner.nix
|
./scanner.nix
|
||||||
./sops.nix
|
./sops.nix
|
||||||
|
|
|
@ -1,8 +1,15 @@
|
||||||
{ config, ... }:
|
{ config, lib, ... }:
|
||||||
{
|
{
|
||||||
networking.networkmanager.enable = true;
|
networking.networkmanager.enable = true;
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
192.168.50.217 gitlab.bareksa.com
|
192.168.50.217 gitlab.bareksa.com
|
||||||
'';
|
'';
|
||||||
networking.firewall.enable = config.profile.networking.firewall.enable;
|
networking.firewall =
|
||||||
|
let
|
||||||
|
cfg = config.profile.networking.firewall;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
enable = cfg.enable;
|
||||||
|
allowedTCPPorts = cfg.allowedTCPPorts;
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -4,6 +4,9 @@ let
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
|
networking.firewall = {
|
||||||
|
allowedTCPPorts = lib.mkAfter [ 22 ];
|
||||||
|
};
|
||||||
services.openssh = {
|
services.openssh = {
|
||||||
enable = true;
|
enable = true;
|
||||||
settings = {
|
settings = {
|
||||||
|
@ -27,24 +30,10 @@ in
|
||||||
bantime-increment = {
|
bantime-increment = {
|
||||||
enable = true; # Enable increment of bantime after each violation
|
enable = true; # Enable increment of bantime after each violation
|
||||||
formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
|
formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
|
||||||
multipliers = "1 2 4 8 16 32 64";
|
# multipliers = "1 2 4 8 16 32 64";
|
||||||
maxtime = "168h"; # Do not ban for more than 1 week
|
maxtime = "168h"; # Do not ban for more than 1 week
|
||||||
overalljails = true; # Calculate the bantime based on all the violations
|
overalljails = true; # Calculate the bantime based on all the violations
|
||||||
};
|
};
|
||||||
jails = {
|
|
||||||
apache-nohome-iptables.settings = {
|
|
||||||
# Block an IP address if it accesses a non-existent
|
|
||||||
# home directory more than 5 times in 10 minutes,
|
|
||||||
# since that indicates that it's scanning.
|
|
||||||
filter = "apache-nohome";
|
|
||||||
action = ''iptables-multiport[name=HTTP, port="http,https"]'';
|
|
||||||
logpath = "/var/log/httpd/error_log*";
|
|
||||||
backend = "auto";
|
|
||||||
findtime = 600;
|
|
||||||
bantime = 600;
|
|
||||||
maxretry = 5;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue