From 1d2c6bb0f0e968c155b46556fff372abbbe20fc4 Mon Sep 17 00:00:00 2001
From: Jade <jade@schrottkatze.de>
Date: Sat, 18 Mar 2023 17:54:57 +0100
Subject: [PATCH] security improvements among other things

---
 common.nix                      |   6 ++++-
 modules/default.nix             |   1 +
 modules/desktop/networking.nix  |  11 ---------
 modules/firewall.nix            |  38 ++++++++++++++++++++++++++++++++
 schrottserver/configuration.nix |  13 ++++++++---
 schrottserver/penpot.nix        |  17 +++++---------
 schrottserver/proxy.nix         |  12 +++++-----
 secret-data/penpot-smtp-pass    | Bin 53 -> 53 bytes
 8 files changed, 66 insertions(+), 32 deletions(-)
 create mode 100644 modules/firewall.nix

diff --git a/common.nix b/common.nix
index 1c948d5..ca9a791 100644
--- a/common.nix
+++ b/common.nix
@@ -40,7 +40,11 @@ with builtins;
   };
 
   services = {
-    openssh.enable = true;
+    openssh = {
+      passwordAuthentication = false;
+      kbdInteractiveAuthentication = false;
+      enable = true;
+    };
   };
 
   programs = {
diff --git a/modules/default.nix b/modules/default.nix
index 10ab69e..0a0a827 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -6,5 +6,6 @@
     ./neovim.nix
     ./zsh.nix
     ./flatpak.nix
+    ./firewall.nix
   ];
 }
diff --git a/modules/desktop/networking.nix b/modules/desktop/networking.nix
index 90ddc74..9d69620 100644
--- a/modules/desktop/networking.nix
+++ b/modules/desktop/networking.nix
@@ -4,17 +4,6 @@
   config = {
     networking = {
       networkmanager.wifi.backend = "iwd";
-      firewall = {
-        allowedTCPPorts = [ 
-          8384 
-          22000 
-        ];
-        allowedUDPPorts = [ 
-          8080 
-          22000 
-          21027 
-        ];
-      };
       extraHosts = ''
         127.0.0.1 www.youtube.com
         127.0.0.1 www.reddit.com
diff --git a/modules/firewall.nix b/modules/firewall.nix
new file mode 100644
index 0000000..78c616c
--- /dev/null
+++ b/modules/firewall.nix
@@ -0,0 +1,38 @@
+{ config, lib, pkgs, ... }:
+{
+  config = {
+    networking = {
+      firewall = {
+        enable = true;
+        allowedTCPPorts = [ 
+          # ssh
+          22
+
+          # http, https
+          80 443
+
+          # syncthing web ui
+          8384
+
+          # syncthing
+          22000 
+
+          # mumble
+          64738
+        ];
+        allowedUDPPorts = [ 
+          8080 
+
+          # other 
+          12333
+
+          # syncthing discovery
+          21027 
+
+          # mumble 
+          64738
+        ];
+      };
+    };
+  };
+}
diff --git a/schrottserver/configuration.nix b/schrottserver/configuration.nix
index e01dbe5..ab764c8 100644
--- a/schrottserver/configuration.nix
+++ b/schrottserver/configuration.nix
@@ -16,7 +16,8 @@
       ./microbin.nix
       ../modules/neovim.nix
       ../modules/zsh.nix
-      ./synapse.nix
+      ../modules/firewall.nix
+      #./synapse.nix
       ./penpot.nix
     ];
 
@@ -28,6 +29,14 @@
     serviceConfig.EnvironmentFile = "/etc/wordsofgod-bot/wordsofgod.env";
   };
 
+  services = {
+    openssh.permitRootLogin = "no";
+    fail2ban = {
+      enable = true;
+      bantime-increment.enable = true;
+    };
+  };
+
   jade = {
     neovim.enable = true;
     zsh.enable = true;
@@ -43,8 +52,6 @@
   networking.hostName = "schrottserver"; # Define your hostname.
   networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
 
-  networking.firewall.enable = false;
-
   # default settings for stateful data; don't change unless reinstall with newer version
   system.stateVersion = "22.11"; # Did you read the comment?
 
diff --git a/schrottserver/penpot.nix b/schrottserver/penpot.nix
index 1f4f18e..865f6ec 100644
--- a/schrottserver/penpot.nix
+++ b/schrottserver/penpot.nix
@@ -9,8 +9,7 @@
       services = {
         "penpot-backend".service = {
           image = "penpotapp/backend:latest";
-          volumes = [ "/penpot_assets:/var/lib/penpot/data/assets" ];
-          restart = "always";
+          volumes = [ "/penpot_assets:/opt/data/assets" ];
           depends_on = [ "penpot-postgres" "penpot-redis" ];
           networks = [ "penpot" ];
           environment = {
@@ -25,31 +24,29 @@
             "PENPOT_REDIS_URI" = "redis://penpot-redis/0";
 
             "PENPOT_ASSETS_STORAGE_BACKEND" = "assets-fs";
-            "PENPOT_STORAGE_ASSETS_FS_DIRECTORY" = "/var/lib/penpot/data/assets";
+            "PENPOT_STORAGE_ASSETS_FS_DIRECTORY" = "/opt/data/assets";
 
             "PENPOT_TELEMETRY_ENABLED" = "false";
 
-            "PENPOT_SMTP_DEFAULT_FROM" = "noreply-pp@schrottkatze.de";
-            "PENPOT_SMTP_DEFAULT_REPLY_TO" = "noreply-pp@schrottkatze.de";
+            "PENPOT_SMTP_DEFAULT_FROM" = "Penpot <noreply-pp@schrottkatze.de>";
+            "PENPOT_SMTP_DEFAULT_REPLY_TO" = "Penpot <noreply-pp@schrottkatze.de>";
             "PENPOT_SMTP_HOST" = "smtp.migadu.com";
             "PENPOT_SMTP_PORT" = "587";
             "PENPOT_SMTP_USERNAME" = "noreply-pp@schrottkatze.de";
-            "PENPOT_SMTP_PASSWORD" = builtins.readFile ../secret-data/penpot-smtp-pass;
+            "PENPOT_SMTP_PASSWORD" = "${builtins.readFile ../secret-data/penpot-smtp-pass}";
             "PENPOT_SMTP_TLS" = "true";
             "PENPOT_SMTP_SSL" = "false";
           };
         };
         "penpot-frontend".service = {
           image = "penpotapp/frontend:latest";
-          restart = "always";
           ports = [  "9001:80" ];
-          volumes = [ "/penpot_assets:/var/lib/penpot/data/assets" ];
+          volumes = [ "/penpot_assets:/opt/data/assets" ];
           depends_on = [ "penpot-backend" "penpot-exporter" ];
           networks = [ "penpot" ];
         };
         "penpot-exporter".service = {
           image = "penpotapp/exporter:latest";
-          restart = "always";
           networks = [ "penpot" ];
           environment = {
             "PENPOT_PUBLIC_URI" = "http://penpot-frontend";
@@ -58,7 +55,6 @@
         };
         "penpot-postgres".service = {
           image = "postgres:15";
-          restart = "always";
           stop_signal = "SIGINT";
           volumes = [ "/penpot_postgres_v15:/var/lib/postgresql/data" ];
           networks = [ "penpot" ];
@@ -71,7 +67,6 @@
         };
         "penpot-redis".service = {
           image = "redis:7";
-          restart = "always";
           networks = [ "penpot" ];
         };
       };
diff --git a/schrottserver/proxy.nix b/schrottserver/proxy.nix
index 28b5525..16e0f39 100644
--- a/schrottserver/proxy.nix
+++ b/schrottserver/proxy.nix
@@ -6,27 +6,27 @@
     certs = {
       "schrottkatze.de" = {
         group = "nginx";
-        keyType = "rsa2048";
+        keyType = "rsa4096";
       };
       "vw.schrottkatze.de" = {
         group = "nginx";
-        keyType = "rsa2048";
+        keyType = "rsa4096";
       };
       "wolke.schrottkatze.de" = {
         group = "nginx";
-        keyType = "rsa2048";
+        keyType = "rsa4096";
       };
       "s10e.de" = {
         group = "nginx";
-        keyType = "rsa2048";
+        keyType = "rsa4096";
       };
       "synapse.schrottkatze.de" = {
         group = "nginx";
-        keyType = "rsa2048";
+        keyType = "rsa4096";
       };
       "pp.schrottkatze.de" = {
         group = "nginx";
-        keyType = "rsa2048";
+        keyType = "rsa4096";
       };
     };
   };
diff --git a/secret-data/penpot-smtp-pass b/secret-data/penpot-smtp-pass
index 80a163fdaecb63578231e10135edbaa581e06eb1..1d6512f92fb8656ec1b315f9df2b021aa16c23f7 100644
GIT binary patch
literal 53
zcmV-50LuRWM@dveQdv+`0GPjb%qv-g;Qst2@2_}MifY3IRPCF14!!>LG|q6BW-W%x
LAOzF(La%&)kZ~Fk

literal 53
zcmZQ@_Y83kiVO&0Q1$-*voxD?rr@`uYZY?N>PemM_2BCiyC0i%_;94z=Gi3$wHbcw
JS@C?1mH;%~6+i$0