homeserver: added firewall and podman

2024-06-12 20:25:30 +07:00 · 2024-06-12 20:25:30 +07:00 · a274ae5f03
parent ec7e115b54
commit a274ae5f03
5 changed files with 23 additions and 18 deletions
--- a/options/default.nix
+++ b/options/default.nix
@ -45,7 +45,13 @@
    flatpak.enable = lib.mkEnableOption "flatpak";
    gnome.enable = lib.mkEnableOption "gnome";
    kde.enable = lib.mkEnableOption "kde";
-    networking.firewall.enable = lib.mkEnableOption "firewall";
+    networking.firewall = {
+      enable = lib.mkEnableOption "firewall";
+      allowedTCPPorts = lib.mkOption {
+        type = lib.types.listOf lib.types.int;
+        default = [ ];
+      };
+    };
    printing.enable = lib.mkEnableOption "printing";
    scanner.enable = lib.mkEnableOption "scanner";
    steam.enable = lib.mkEnableOption "steam";
--- a/profiles/homeserver.nix
+++ b/profiles/homeserver.nix
@ -22,5 +22,7 @@
    };
    openssh.enable = true;
    go.enable = true;
+    networking.firewall.enable = true;
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
  };
 }
--- a/system/modules/default.nix
+++ b/system/modules/default.nix
@ -15,6 +15,7 @@
    ./kde.nix
    ./networking.nix
    ./openssh.nix
+    ./podman.nix
    ./printing.nix
    ./scanner.nix
    ./sops.nix
--- a/system/modules/networking.nix
+++ b/system/modules/networking.nix
@ -1,8 +1,15 @@
-{ config, ... }:
+{ config, lib, ... }:
 {
  networking.networkmanager.enable = true;
  networking.extraHosts = ''
    192.168.50.217 gitlab.bareksa.com
  '';
-  networking.firewall.enable = config.profile.networking.firewall.enable;
+  networking.firewall =
+    let
+      cfg = config.profile.networking.firewall;
+    in
+    {
+      enable = cfg.enable;
+      allowedTCPPorts = cfg.allowedTCPPorts;
+    };
 }
--- a/system/modules/openssh.nix
+++ b/system/modules/openssh.nix
@ -4,6 +4,9 @@ let
 in
 {
  config = lib.mkIf cfg.enable {
+    networking.firewall = {
+      allowedTCPPorts = lib.mkAfter [ 22 ];
+    };
    services.openssh = {
      enable = true;
      settings = {
@ -27,24 +30,10 @@ in
      bantime-increment = {
        enable = true; # Enable increment of bantime after each violation
        formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
-        multipliers = "1 2 4 8 16 32 64";
+        # multipliers = "1 2 4 8 16 32 64";
        maxtime = "168h"; # Do not ban for more than 1 week
        overalljails = true; # Calculate the bantime based on all the violations
      };
-      jails = {
-        apache-nohome-iptables.settings = {
-          # Block an IP address if it accesses a non-existent
-          # home directory more than 5 times in 10 minutes,
-          # since that indicates that it's scanning.
-          filter = "apache-nohome";
-          action = ''iptables-multiport[name=HTTP, port="http,https"]'';
-          logpath = "/var/log/httpd/error_log*";
-          backend = "auto";
-          findtime = 600;
-          bantime = 600;
-          maxretry = 5;
-        };
-      };
    };
  };
 }