security improvements among other things

This commit is contained in:
Schrottkatze 2023-03-18 17:54:57 +01:00
parent bd85fdb12f
commit 1d2c6bb0f0
8 changed files with 66 additions and 32 deletions

View file

@ -40,7 +40,11 @@ with builtins;
}; };
services = { services = {
openssh.enable = true; openssh = {
passwordAuthentication = false;
kbdInteractiveAuthentication = false;
enable = true;
};
}; };
programs = { programs = {

View file

@ -6,5 +6,6 @@
./neovim.nix ./neovim.nix
./zsh.nix ./zsh.nix
./flatpak.nix ./flatpak.nix
./firewall.nix
]; ];
} }

View file

@ -4,17 +4,6 @@
config = { config = {
networking = { networking = {
networkmanager.wifi.backend = "iwd"; networkmanager.wifi.backend = "iwd";
firewall = {
allowedTCPPorts = [
8384
22000
];
allowedUDPPorts = [
8080
22000
21027
];
};
extraHosts = '' extraHosts = ''
127.0.0.1 www.youtube.com 127.0.0.1 www.youtube.com
127.0.0.1 www.reddit.com 127.0.0.1 www.reddit.com

38
modules/firewall.nix Normal file
View file

@ -0,0 +1,38 @@
{ config, lib, pkgs, ... }:
{
config = {
networking = {
firewall = {
enable = true;
allowedTCPPorts = [
# ssh
22
# http, https
80 443
# syncthing web ui
8384
# syncthing
22000
# mumble
64738
];
allowedUDPPorts = [
8080
# other
12333
# syncthing discovery
21027
# mumble
64738
];
};
};
};
}

View file

@ -16,7 +16,8 @@
./microbin.nix ./microbin.nix
../modules/neovim.nix ../modules/neovim.nix
../modules/zsh.nix ../modules/zsh.nix
./synapse.nix ../modules/firewall.nix
#./synapse.nix
./penpot.nix ./penpot.nix
]; ];
@ -28,6 +29,14 @@
serviceConfig.EnvironmentFile = "/etc/wordsofgod-bot/wordsofgod.env"; serviceConfig.EnvironmentFile = "/etc/wordsofgod-bot/wordsofgod.env";
}; };
services = {
openssh.permitRootLogin = "no";
fail2ban = {
enable = true;
bantime-increment.enable = true;
};
};
jade = { jade = {
neovim.enable = true; neovim.enable = true;
zsh.enable = true; zsh.enable = true;
@ -43,8 +52,6 @@
networking.hostName = "schrottserver"; # Define your hostname. networking.hostName = "schrottserver"; # Define your hostname.
networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
networking.firewall.enable = false;
# default settings for stateful data; don't change unless reinstall with newer version # default settings for stateful data; don't change unless reinstall with newer version
system.stateVersion = "22.11"; # Did you read the comment? system.stateVersion = "22.11"; # Did you read the comment?

View file

@ -9,8 +9,7 @@
services = { services = {
"penpot-backend".service = { "penpot-backend".service = {
image = "penpotapp/backend:latest"; image = "penpotapp/backend:latest";
volumes = [ "/penpot_assets:/var/lib/penpot/data/assets" ]; volumes = [ "/penpot_assets:/opt/data/assets" ];
restart = "always";
depends_on = [ "penpot-postgres" "penpot-redis" ]; depends_on = [ "penpot-postgres" "penpot-redis" ];
networks = [ "penpot" ]; networks = [ "penpot" ];
environment = { environment = {
@ -25,31 +24,29 @@
"PENPOT_REDIS_URI" = "redis://penpot-redis/0"; "PENPOT_REDIS_URI" = "redis://penpot-redis/0";
"PENPOT_ASSETS_STORAGE_BACKEND" = "assets-fs"; "PENPOT_ASSETS_STORAGE_BACKEND" = "assets-fs";
"PENPOT_STORAGE_ASSETS_FS_DIRECTORY" = "/var/lib/penpot/data/assets"; "PENPOT_STORAGE_ASSETS_FS_DIRECTORY" = "/opt/data/assets";
"PENPOT_TELEMETRY_ENABLED" = "false"; "PENPOT_TELEMETRY_ENABLED" = "false";
"PENPOT_SMTP_DEFAULT_FROM" = "noreply-pp@schrottkatze.de"; "PENPOT_SMTP_DEFAULT_FROM" = "Penpot <noreply-pp@schrottkatze.de>";
"PENPOT_SMTP_DEFAULT_REPLY_TO" = "noreply-pp@schrottkatze.de"; "PENPOT_SMTP_DEFAULT_REPLY_TO" = "Penpot <noreply-pp@schrottkatze.de>";
"PENPOT_SMTP_HOST" = "smtp.migadu.com"; "PENPOT_SMTP_HOST" = "smtp.migadu.com";
"PENPOT_SMTP_PORT" = "587"; "PENPOT_SMTP_PORT" = "587";
"PENPOT_SMTP_USERNAME" = "noreply-pp@schrottkatze.de"; "PENPOT_SMTP_USERNAME" = "noreply-pp@schrottkatze.de";
"PENPOT_SMTP_PASSWORD" = builtins.readFile ../secret-data/penpot-smtp-pass; "PENPOT_SMTP_PASSWORD" = "${builtins.readFile ../secret-data/penpot-smtp-pass}";
"PENPOT_SMTP_TLS" = "true"; "PENPOT_SMTP_TLS" = "true";
"PENPOT_SMTP_SSL" = "false"; "PENPOT_SMTP_SSL" = "false";
}; };
}; };
"penpot-frontend".service = { "penpot-frontend".service = {
image = "penpotapp/frontend:latest"; image = "penpotapp/frontend:latest";
restart = "always";
ports = [ "9001:80" ]; ports = [ "9001:80" ];
volumes = [ "/penpot_assets:/var/lib/penpot/data/assets" ]; volumes = [ "/penpot_assets:/opt/data/assets" ];
depends_on = [ "penpot-backend" "penpot-exporter" ]; depends_on = [ "penpot-backend" "penpot-exporter" ];
networks = [ "penpot" ]; networks = [ "penpot" ];
}; };
"penpot-exporter".service = { "penpot-exporter".service = {
image = "penpotapp/exporter:latest"; image = "penpotapp/exporter:latest";
restart = "always";
networks = [ "penpot" ]; networks = [ "penpot" ];
environment = { environment = {
"PENPOT_PUBLIC_URI" = "http://penpot-frontend"; "PENPOT_PUBLIC_URI" = "http://penpot-frontend";
@ -58,7 +55,6 @@
}; };
"penpot-postgres".service = { "penpot-postgres".service = {
image = "postgres:15"; image = "postgres:15";
restart = "always";
stop_signal = "SIGINT"; stop_signal = "SIGINT";
volumes = [ "/penpot_postgres_v15:/var/lib/postgresql/data" ]; volumes = [ "/penpot_postgres_v15:/var/lib/postgresql/data" ];
networks = [ "penpot" ]; networks = [ "penpot" ];
@ -71,7 +67,6 @@
}; };
"penpot-redis".service = { "penpot-redis".service = {
image = "redis:7"; image = "redis:7";
restart = "always";
networks = [ "penpot" ]; networks = [ "penpot" ];
}; };
}; };

View file

@ -6,27 +6,27 @@
certs = { certs = {
"schrottkatze.de" = { "schrottkatze.de" = {
group = "nginx"; group = "nginx";
keyType = "rsa2048"; keyType = "rsa4096";
}; };
"vw.schrottkatze.de" = { "vw.schrottkatze.de" = {
group = "nginx"; group = "nginx";
keyType = "rsa2048"; keyType = "rsa4096";
}; };
"wolke.schrottkatze.de" = { "wolke.schrottkatze.de" = {
group = "nginx"; group = "nginx";
keyType = "rsa2048"; keyType = "rsa4096";
}; };
"s10e.de" = { "s10e.de" = {
group = "nginx"; group = "nginx";
keyType = "rsa2048"; keyType = "rsa4096";
}; };
"synapse.schrottkatze.de" = { "synapse.schrottkatze.de" = {
group = "nginx"; group = "nginx";
keyType = "rsa2048"; keyType = "rsa4096";
}; };
"pp.schrottkatze.de" = { "pp.schrottkatze.de" = {
group = "nginx"; group = "nginx";
keyType = "rsa2048"; keyType = "rsa4096";
}; };
}; };
}; };

Binary file not shown.