security improvements among other things

common.nix

@@ -40,7 +40,11 @@ with builtins;
   };
 
   services = {
-    openssh.enable = true;
+    openssh = {
+      passwordAuthentication = false;
+      kbdInteractiveAuthentication = false;
+      enable = true;
+    };
   };
 
   programs = {

modules/default.nix

@@ -6,5 +6,6 @@
     ./neovim.nix
     ./zsh.nix
     ./flatpak.nix
+    ./firewall.nix
   ];
 }

modules/desktop/networking.nix

@@ -4,17 +4,6 @@
   config = {
     networking = {
       networkmanager.wifi.backend = "iwd";
-      firewall = {
-        allowedTCPPorts = [ 
-          8384 
-          22000 
-        ];
-        allowedUDPPorts = [ 
-          8080 
-          22000 
-          21027 
-        ];
-      };
       extraHosts = ''
         127.0.0.1 www.youtube.com
         127.0.0.1 www.reddit.com

modules/firewall.nix

@@ -0,0 +1,38 @@
+{ config, lib, pkgs, ... }:
+{
+  config = {
+    networking = {
+      firewall = {
+        enable = true;
+        allowedTCPPorts = [ 
+          # ssh
+          22
+
+          # http, https
+          80 443
+
+          # syncthing web ui
+          8384
+
+          # syncthing
+          22000 
+
+          # mumble
+          64738
+        ];
+        allowedUDPPorts = [ 
+          8080 
+
+          # other 
+          12333
+
+          # syncthing discovery
+          21027 
+
+          # mumble 
+          64738
+        ];
+      };
+    };
+  };
+}

schrottserver/configuration.nix

@@ -16,7 +16,8 @@
       ./microbin.nix
       ../modules/neovim.nix
       ../modules/zsh.nix
-      ./synapse.nix
+      ../modules/firewall.nix
+      #./synapse.nix
       ./penpot.nix
     ];
 
@@ -28,6 +29,14 @@
     serviceConfig.EnvironmentFile = "/etc/wordsofgod-bot/wordsofgod.env";
   };
 
+  services = {
+    openssh.permitRootLogin = "no";
+    fail2ban = {
+      enable = true;
+      bantime-increment.enable = true;
+    };
+  };
+
   jade = {
     neovim.enable = true;
     zsh.enable = true;
@@ -43,8 +52,6 @@
   networking.hostName = "schrottserver"; # Define your hostname.
   networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
 
-  networking.firewall.enable = false;
-
   # default settings for stateful data; don't change unless reinstall with newer version
   system.stateVersion = "22.11"; # Did you read the comment?
 

schrottserver/penpot.nix

@@ -9,8 +9,7 @@
       services = {
         "penpot-backend".service = {
           image = "penpotapp/backend:latest";
-          volumes = [ "/penpot_assets:/var/lib/penpot/data/assets" ];
+          volumes = [ "/penpot_assets:/opt/data/assets" ];
-          restart = "always";
           depends_on = [ "penpot-postgres" "penpot-redis" ];
           networks = [ "penpot" ];
           environment = {
@@ -25,31 +24,29 @@
             "PENPOT_REDIS_URI" = "redis://penpot-redis/0";
 
             "PENPOT_ASSETS_STORAGE_BACKEND" = "assets-fs";
-            "PENPOT_STORAGE_ASSETS_FS_DIRECTORY" = "/var/lib/penpot/data/assets";
+            "PENPOT_STORAGE_ASSETS_FS_DIRECTORY" = "/opt/data/assets";
 
             "PENPOT_TELEMETRY_ENABLED" = "false";
 
-            "PENPOT_SMTP_DEFAULT_FROM" = "noreply-pp@schrottkatze.de";
+            "PENPOT_SMTP_DEFAULT_FROM" = "Penpot <noreply-pp@schrottkatze.de>";
-            "PENPOT_SMTP_DEFAULT_REPLY_TO" = "noreply-pp@schrottkatze.de";
+            "PENPOT_SMTP_DEFAULT_REPLY_TO" = "Penpot <noreply-pp@schrottkatze.de>";
             "PENPOT_SMTP_HOST" = "smtp.migadu.com";
             "PENPOT_SMTP_PORT" = "587";
             "PENPOT_SMTP_USERNAME" = "noreply-pp@schrottkatze.de";
-            "PENPOT_SMTP_PASSWORD" = builtins.readFile ../secret-data/penpot-smtp-pass;
+            "PENPOT_SMTP_PASSWORD" = "${builtins.readFile ../secret-data/penpot-smtp-pass}";
             "PENPOT_SMTP_TLS" = "true";
             "PENPOT_SMTP_SSL" = "false";
           };
         };
         "penpot-frontend".service = {
           image = "penpotapp/frontend:latest";
-          restart = "always";
           ports = [  "9001:80" ];
-          volumes = [ "/penpot_assets:/var/lib/penpot/data/assets" ];
+          volumes = [ "/penpot_assets:/opt/data/assets" ];
           depends_on = [ "penpot-backend" "penpot-exporter" ];
           networks = [ "penpot" ];
         };
         "penpot-exporter".service = {
           image = "penpotapp/exporter:latest";
-          restart = "always";
           networks = [ "penpot" ];
           environment = {
             "PENPOT_PUBLIC_URI" = "http://penpot-frontend";
@@ -58,7 +55,6 @@
         };
         "penpot-postgres".service = {
           image = "postgres:15";
-          restart = "always";
           stop_signal = "SIGINT";
           volumes = [ "/penpot_postgres_v15:/var/lib/postgresql/data" ];
           networks = [ "penpot" ];
@@ -71,7 +67,6 @@
         };
         "penpot-redis".service = {
           image = "redis:7";
-          restart = "always";
           networks = [ "penpot" ];
         };
       };

schrottserver/proxy.nix

@@ -6,27 +6,27 @@
     certs = {
       "schrottkatze.de" = {
         group = "nginx";
-        keyType = "rsa2048";
+        keyType = "rsa4096";
       };
       "vw.schrottkatze.de" = {
         group = "nginx";
-        keyType = "rsa2048";
+        keyType = "rsa4096";
       };
       "wolke.schrottkatze.de" = {
         group = "nginx";
-        keyType = "rsa2048";
+        keyType = "rsa4096";
       };
       "s10e.de" = {
         group = "nginx";
-        keyType = "rsa2048";
+        keyType = "rsa4096";
       };
       "synapse.schrottkatze.de" = {
         group = "nginx";
-        keyType = "rsa2048";
+        keyType = "rsa4096";
       };
       "pp.schrottkatze.de" = {
         group = "nginx";
-        keyType = "rsa2048";
+        keyType = "rsa4096";
       };
     };
   };