security improvements among other things
This commit is contained in:
parent
bd85fdb12f
commit
1d2c6bb0f0
8 changed files with 66 additions and 32 deletions
|
@ -40,7 +40,11 @@ with builtins;
|
||||||
};
|
};
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
openssh.enable = true;
|
openssh = {
|
||||||
|
passwordAuthentication = false;
|
||||||
|
kbdInteractiveAuthentication = false;
|
||||||
|
enable = true;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
programs = {
|
programs = {
|
||||||
|
|
|
@ -6,5 +6,6 @@
|
||||||
./neovim.nix
|
./neovim.nix
|
||||||
./zsh.nix
|
./zsh.nix
|
||||||
./flatpak.nix
|
./flatpak.nix
|
||||||
|
./firewall.nix
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -4,17 +4,6 @@
|
||||||
config = {
|
config = {
|
||||||
networking = {
|
networking = {
|
||||||
networkmanager.wifi.backend = "iwd";
|
networkmanager.wifi.backend = "iwd";
|
||||||
firewall = {
|
|
||||||
allowedTCPPorts = [
|
|
||||||
8384
|
|
||||||
22000
|
|
||||||
];
|
|
||||||
allowedUDPPorts = [
|
|
||||||
8080
|
|
||||||
22000
|
|
||||||
21027
|
|
||||||
];
|
|
||||||
};
|
|
||||||
extraHosts = ''
|
extraHosts = ''
|
||||||
127.0.0.1 www.youtube.com
|
127.0.0.1 www.youtube.com
|
||||||
127.0.0.1 www.reddit.com
|
127.0.0.1 www.reddit.com
|
||||||
|
|
38
modules/firewall.nix
Normal file
38
modules/firewall.nix
Normal file
|
@ -0,0 +1,38 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
{
|
||||||
|
config = {
|
||||||
|
networking = {
|
||||||
|
firewall = {
|
||||||
|
enable = true;
|
||||||
|
allowedTCPPorts = [
|
||||||
|
# ssh
|
||||||
|
22
|
||||||
|
|
||||||
|
# http, https
|
||||||
|
80 443
|
||||||
|
|
||||||
|
# syncthing web ui
|
||||||
|
8384
|
||||||
|
|
||||||
|
# syncthing
|
||||||
|
22000
|
||||||
|
|
||||||
|
# mumble
|
||||||
|
64738
|
||||||
|
];
|
||||||
|
allowedUDPPorts = [
|
||||||
|
8080
|
||||||
|
|
||||||
|
# other
|
||||||
|
12333
|
||||||
|
|
||||||
|
# syncthing discovery
|
||||||
|
21027
|
||||||
|
|
||||||
|
# mumble
|
||||||
|
64738
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -16,7 +16,8 @@
|
||||||
./microbin.nix
|
./microbin.nix
|
||||||
../modules/neovim.nix
|
../modules/neovim.nix
|
||||||
../modules/zsh.nix
|
../modules/zsh.nix
|
||||||
./synapse.nix
|
../modules/firewall.nix
|
||||||
|
#./synapse.nix
|
||||||
./penpot.nix
|
./penpot.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
@ -28,6 +29,14 @@
|
||||||
serviceConfig.EnvironmentFile = "/etc/wordsofgod-bot/wordsofgod.env";
|
serviceConfig.EnvironmentFile = "/etc/wordsofgod-bot/wordsofgod.env";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services = {
|
||||||
|
openssh.permitRootLogin = "no";
|
||||||
|
fail2ban = {
|
||||||
|
enable = true;
|
||||||
|
bantime-increment.enable = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
jade = {
|
jade = {
|
||||||
neovim.enable = true;
|
neovim.enable = true;
|
||||||
zsh.enable = true;
|
zsh.enable = true;
|
||||||
|
@ -43,8 +52,6 @@
|
||||||
networking.hostName = "schrottserver"; # Define your hostname.
|
networking.hostName = "schrottserver"; # Define your hostname.
|
||||||
networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
|
networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
|
||||||
|
|
||||||
networking.firewall.enable = false;
|
|
||||||
|
|
||||||
# default settings for stateful data; don't change unless reinstall with newer version
|
# default settings for stateful data; don't change unless reinstall with newer version
|
||||||
system.stateVersion = "22.11"; # Did you read the comment?
|
system.stateVersion = "22.11"; # Did you read the comment?
|
||||||
|
|
||||||
|
|
|
@ -9,8 +9,7 @@
|
||||||
services = {
|
services = {
|
||||||
"penpot-backend".service = {
|
"penpot-backend".service = {
|
||||||
image = "penpotapp/backend:latest";
|
image = "penpotapp/backend:latest";
|
||||||
volumes = [ "/penpot_assets:/var/lib/penpot/data/assets" ];
|
volumes = [ "/penpot_assets:/opt/data/assets" ];
|
||||||
restart = "always";
|
|
||||||
depends_on = [ "penpot-postgres" "penpot-redis" ];
|
depends_on = [ "penpot-postgres" "penpot-redis" ];
|
||||||
networks = [ "penpot" ];
|
networks = [ "penpot" ];
|
||||||
environment = {
|
environment = {
|
||||||
|
@ -25,31 +24,29 @@
|
||||||
"PENPOT_REDIS_URI" = "redis://penpot-redis/0";
|
"PENPOT_REDIS_URI" = "redis://penpot-redis/0";
|
||||||
|
|
||||||
"PENPOT_ASSETS_STORAGE_BACKEND" = "assets-fs";
|
"PENPOT_ASSETS_STORAGE_BACKEND" = "assets-fs";
|
||||||
"PENPOT_STORAGE_ASSETS_FS_DIRECTORY" = "/var/lib/penpot/data/assets";
|
"PENPOT_STORAGE_ASSETS_FS_DIRECTORY" = "/opt/data/assets";
|
||||||
|
|
||||||
"PENPOT_TELEMETRY_ENABLED" = "false";
|
"PENPOT_TELEMETRY_ENABLED" = "false";
|
||||||
|
|
||||||
"PENPOT_SMTP_DEFAULT_FROM" = "noreply-pp@schrottkatze.de";
|
"PENPOT_SMTP_DEFAULT_FROM" = "Penpot <noreply-pp@schrottkatze.de>";
|
||||||
"PENPOT_SMTP_DEFAULT_REPLY_TO" = "noreply-pp@schrottkatze.de";
|
"PENPOT_SMTP_DEFAULT_REPLY_TO" = "Penpot <noreply-pp@schrottkatze.de>";
|
||||||
"PENPOT_SMTP_HOST" = "smtp.migadu.com";
|
"PENPOT_SMTP_HOST" = "smtp.migadu.com";
|
||||||
"PENPOT_SMTP_PORT" = "587";
|
"PENPOT_SMTP_PORT" = "587";
|
||||||
"PENPOT_SMTP_USERNAME" = "noreply-pp@schrottkatze.de";
|
"PENPOT_SMTP_USERNAME" = "noreply-pp@schrottkatze.de";
|
||||||
"PENPOT_SMTP_PASSWORD" = builtins.readFile ../secret-data/penpot-smtp-pass;
|
"PENPOT_SMTP_PASSWORD" = "${builtins.readFile ../secret-data/penpot-smtp-pass}";
|
||||||
"PENPOT_SMTP_TLS" = "true";
|
"PENPOT_SMTP_TLS" = "true";
|
||||||
"PENPOT_SMTP_SSL" = "false";
|
"PENPOT_SMTP_SSL" = "false";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
"penpot-frontend".service = {
|
"penpot-frontend".service = {
|
||||||
image = "penpotapp/frontend:latest";
|
image = "penpotapp/frontend:latest";
|
||||||
restart = "always";
|
|
||||||
ports = [ "9001:80" ];
|
ports = [ "9001:80" ];
|
||||||
volumes = [ "/penpot_assets:/var/lib/penpot/data/assets" ];
|
volumes = [ "/penpot_assets:/opt/data/assets" ];
|
||||||
depends_on = [ "penpot-backend" "penpot-exporter" ];
|
depends_on = [ "penpot-backend" "penpot-exporter" ];
|
||||||
networks = [ "penpot" ];
|
networks = [ "penpot" ];
|
||||||
};
|
};
|
||||||
"penpot-exporter".service = {
|
"penpot-exporter".service = {
|
||||||
image = "penpotapp/exporter:latest";
|
image = "penpotapp/exporter:latest";
|
||||||
restart = "always";
|
|
||||||
networks = [ "penpot" ];
|
networks = [ "penpot" ];
|
||||||
environment = {
|
environment = {
|
||||||
"PENPOT_PUBLIC_URI" = "http://penpot-frontend";
|
"PENPOT_PUBLIC_URI" = "http://penpot-frontend";
|
||||||
|
@ -58,7 +55,6 @@
|
||||||
};
|
};
|
||||||
"penpot-postgres".service = {
|
"penpot-postgres".service = {
|
||||||
image = "postgres:15";
|
image = "postgres:15";
|
||||||
restart = "always";
|
|
||||||
stop_signal = "SIGINT";
|
stop_signal = "SIGINT";
|
||||||
volumes = [ "/penpot_postgres_v15:/var/lib/postgresql/data" ];
|
volumes = [ "/penpot_postgres_v15:/var/lib/postgresql/data" ];
|
||||||
networks = [ "penpot" ];
|
networks = [ "penpot" ];
|
||||||
|
@ -71,7 +67,6 @@
|
||||||
};
|
};
|
||||||
"penpot-redis".service = {
|
"penpot-redis".service = {
|
||||||
image = "redis:7";
|
image = "redis:7";
|
||||||
restart = "always";
|
|
||||||
networks = [ "penpot" ];
|
networks = [ "penpot" ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -6,27 +6,27 @@
|
||||||
certs = {
|
certs = {
|
||||||
"schrottkatze.de" = {
|
"schrottkatze.de" = {
|
||||||
group = "nginx";
|
group = "nginx";
|
||||||
keyType = "rsa2048";
|
keyType = "rsa4096";
|
||||||
};
|
};
|
||||||
"vw.schrottkatze.de" = {
|
"vw.schrottkatze.de" = {
|
||||||
group = "nginx";
|
group = "nginx";
|
||||||
keyType = "rsa2048";
|
keyType = "rsa4096";
|
||||||
};
|
};
|
||||||
"wolke.schrottkatze.de" = {
|
"wolke.schrottkatze.de" = {
|
||||||
group = "nginx";
|
group = "nginx";
|
||||||
keyType = "rsa2048";
|
keyType = "rsa4096";
|
||||||
};
|
};
|
||||||
"s10e.de" = {
|
"s10e.de" = {
|
||||||
group = "nginx";
|
group = "nginx";
|
||||||
keyType = "rsa2048";
|
keyType = "rsa4096";
|
||||||
};
|
};
|
||||||
"synapse.schrottkatze.de" = {
|
"synapse.schrottkatze.de" = {
|
||||||
group = "nginx";
|
group = "nginx";
|
||||||
keyType = "rsa2048";
|
keyType = "rsa4096";
|
||||||
};
|
};
|
||||||
"pp.schrottkatze.de" = {
|
"pp.schrottkatze.de" = {
|
||||||
group = "nginx";
|
group = "nginx";
|
||||||
keyType = "rsa2048";
|
keyType = "rsa4096";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
Binary file not shown.
Loading…
Reference in a new issue