tigor/NixOS
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

homeserver: added firewall and podman

Browse source
This commit is contained in:
Tigor Hutasuhut 2024-06-12 20:25:30 +07:00
parent ec7e115b54
commit a274ae5f03
5 changed files with 23 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
options/default.nix
View file

@ -45,7 +45,13 @@
flatpak.enable = lib.mkEnableOption "flatpak"; flatpak.enable = lib.mkEnableOption "flatpak";
gnome.enable = lib.mkEnableOption "gnome"; gnome.enable = lib.mkEnableOption "gnome";
kde.enable = lib.mkEnableOption "kde"; kde.enable = lib.mkEnableOption "kde";
networking.firewall.enable = lib.mkEnableOption "firewall"; networking.firewall = {
enable = lib.mkEnableOption "firewall";
allowedTCPPorts = lib.mkOption {
type = lib.types.listOf lib.types.int;
default = [ ];
};
};
printing.enable = lib.mkEnableOption "printing"; printing.enable = lib.mkEnableOption "printing";
scanner.enable = lib.mkEnableOption "scanner"; scanner.enable = lib.mkEnableOption "scanner";
steam.enable = lib.mkEnableOption "steam"; steam.enable = lib.mkEnableOption "steam";

2
profiles/homeserver.nix
View file

@ -22,5 +22,7 @@
}; };
openssh.enable = true; openssh.enable = true;
go.enable = true; go.enable = true;
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [ 80 443 ];
}; };
} }

1
system/modules/default.nix
View file

@ -15,6 +15,7 @@
./kde.nix ./kde.nix
./networking.nix ./networking.nix
./openssh.nix ./openssh.nix
./podman.nix
./printing.nix ./printing.nix
./scanner.nix ./scanner.nix
./sops.nix ./sops.nix

11
system/modules/networking.nix
View file

@ -1,8 +1,15 @@
{ config, ... }: { config, lib, ... }:
{ {
networking.networkmanager.enable = true; networking.networkmanager.enable = true;
networking.extraHosts = '' networking.extraHosts = ''
192.168.50.217 gitlab.bareksa.com 192.168.50.217 gitlab.bareksa.com
''; '';
networking.firewall.enable = config.profile.networking.firewall.enable; networking.firewall =
let
cfg = config.profile.networking.firewall;
in
{
enable = cfg.enable;
allowedTCPPorts = cfg.allowedTCPPorts;
};
} }

19
system/modules/openssh.nix
View file

@ -4,6 +4,9 @@ let
in in
{ {
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
networking.firewall = {
allowedTCPPorts = lib.mkAfter [ 22 ];
};
services.openssh = { services.openssh = {
enable = true; enable = true;
settings = { settings = {
@ -27,24 +30,10 @@ in
bantime-increment = { bantime-increment = {
enable = true; # Enable increment of bantime after each violation enable = true; # Enable increment of bantime after each violation
formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)"; formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
multipliers = "1 2 4 8 16 32 64"; # multipliers = "1 2 4 8 16 32 64";
maxtime = "168h"; # Do not ban for more than 1 week maxtime = "168h"; # Do not ban for more than 1 week
overalljails = true; # Calculate the bantime based on all the violations overalljails = true; # Calculate the bantime based on all the violations
}; };
jails = {
apache-nohome-iptables.settings = {
# Block an IP address if it accesses a non-existent
# home directory more than 5 times in 10 minutes,
# since that indicates that it's scanning.
filter = "apache-nohome";
action = ''iptables-multiport[name=HTTP, port="http,https"]'';
logpath = "/var/log/httpd/error_log*";
backend = "auto";
findtime = 600;
bantime = 600;
maxretry = 5;
};
};
}; };
}; };
} }