security improvements among other things
This commit is contained in:
parent
bd85fdb12f
commit
1d2c6bb0f0
8 changed files with 66 additions and 32 deletions
|
@ -40,7 +40,11 @@ with builtins;
|
|||
};
|
||||
|
||||
services = {
|
||||
openssh.enable = true;
|
||||
openssh = {
|
||||
passwordAuthentication = false;
|
||||
kbdInteractiveAuthentication = false;
|
||||
enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
programs = {
|
||||
|
|
|
@ -6,5 +6,6 @@
|
|||
./neovim.nix
|
||||
./zsh.nix
|
||||
./flatpak.nix
|
||||
./firewall.nix
|
||||
];
|
||||
}
|
||||
|
|
|
@ -4,17 +4,6 @@
|
|||
config = {
|
||||
networking = {
|
||||
networkmanager.wifi.backend = "iwd";
|
||||
firewall = {
|
||||
allowedTCPPorts = [
|
||||
8384
|
||||
22000
|
||||
];
|
||||
allowedUDPPorts = [
|
||||
8080
|
||||
22000
|
||||
21027
|
||||
];
|
||||
};
|
||||
extraHosts = ''
|
||||
127.0.0.1 www.youtube.com
|
||||
127.0.0.1 www.reddit.com
|
||||
|
|
38
modules/firewall.nix
Normal file
38
modules/firewall.nix
Normal file
|
@ -0,0 +1,38 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
config = {
|
||||
networking = {
|
||||
firewall = {
|
||||
enable = true;
|
||||
allowedTCPPorts = [
|
||||
# ssh
|
||||
22
|
||||
|
||||
# http, https
|
||||
80 443
|
||||
|
||||
# syncthing web ui
|
||||
8384
|
||||
|
||||
# syncthing
|
||||
22000
|
||||
|
||||
# mumble
|
||||
64738
|
||||
];
|
||||
allowedUDPPorts = [
|
||||
8080
|
||||
|
||||
# other
|
||||
12333
|
||||
|
||||
# syncthing discovery
|
||||
21027
|
||||
|
||||
# mumble
|
||||
64738
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -16,7 +16,8 @@
|
|||
./microbin.nix
|
||||
../modules/neovim.nix
|
||||
../modules/zsh.nix
|
||||
./synapse.nix
|
||||
../modules/firewall.nix
|
||||
#./synapse.nix
|
||||
./penpot.nix
|
||||
];
|
||||
|
||||
|
@ -28,6 +29,14 @@
|
|||
serviceConfig.EnvironmentFile = "/etc/wordsofgod-bot/wordsofgod.env";
|
||||
};
|
||||
|
||||
services = {
|
||||
openssh.permitRootLogin = "no";
|
||||
fail2ban = {
|
||||
enable = true;
|
||||
bantime-increment.enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
jade = {
|
||||
neovim.enable = true;
|
||||
zsh.enable = true;
|
||||
|
@ -43,8 +52,6 @@
|
|||
networking.hostName = "schrottserver"; # Define your hostname.
|
||||
networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
|
||||
|
||||
networking.firewall.enable = false;
|
||||
|
||||
# default settings for stateful data; don't change unless reinstall with newer version
|
||||
system.stateVersion = "22.11"; # Did you read the comment?
|
||||
|
||||
|
|
|
@ -9,8 +9,7 @@
|
|||
services = {
|
||||
"penpot-backend".service = {
|
||||
image = "penpotapp/backend:latest";
|
||||
volumes = [ "/penpot_assets:/var/lib/penpot/data/assets" ];
|
||||
restart = "always";
|
||||
volumes = [ "/penpot_assets:/opt/data/assets" ];
|
||||
depends_on = [ "penpot-postgres" "penpot-redis" ];
|
||||
networks = [ "penpot" ];
|
||||
environment = {
|
||||
|
@ -25,31 +24,29 @@
|
|||
"PENPOT_REDIS_URI" = "redis://penpot-redis/0";
|
||||
|
||||
"PENPOT_ASSETS_STORAGE_BACKEND" = "assets-fs";
|
||||
"PENPOT_STORAGE_ASSETS_FS_DIRECTORY" = "/var/lib/penpot/data/assets";
|
||||
"PENPOT_STORAGE_ASSETS_FS_DIRECTORY" = "/opt/data/assets";
|
||||
|
||||
"PENPOT_TELEMETRY_ENABLED" = "false";
|
||||
|
||||
"PENPOT_SMTP_DEFAULT_FROM" = "noreply-pp@schrottkatze.de";
|
||||
"PENPOT_SMTP_DEFAULT_REPLY_TO" = "noreply-pp@schrottkatze.de";
|
||||
"PENPOT_SMTP_DEFAULT_FROM" = "Penpot <noreply-pp@schrottkatze.de>";
|
||||
"PENPOT_SMTP_DEFAULT_REPLY_TO" = "Penpot <noreply-pp@schrottkatze.de>";
|
||||
"PENPOT_SMTP_HOST" = "smtp.migadu.com";
|
||||
"PENPOT_SMTP_PORT" = "587";
|
||||
"PENPOT_SMTP_USERNAME" = "noreply-pp@schrottkatze.de";
|
||||
"PENPOT_SMTP_PASSWORD" = builtins.readFile ../secret-data/penpot-smtp-pass;
|
||||
"PENPOT_SMTP_PASSWORD" = "${builtins.readFile ../secret-data/penpot-smtp-pass}";
|
||||
"PENPOT_SMTP_TLS" = "true";
|
||||
"PENPOT_SMTP_SSL" = "false";
|
||||
};
|
||||
};
|
||||
"penpot-frontend".service = {
|
||||
image = "penpotapp/frontend:latest";
|
||||
restart = "always";
|
||||
ports = [ "9001:80" ];
|
||||
volumes = [ "/penpot_assets:/var/lib/penpot/data/assets" ];
|
||||
volumes = [ "/penpot_assets:/opt/data/assets" ];
|
||||
depends_on = [ "penpot-backend" "penpot-exporter" ];
|
||||
networks = [ "penpot" ];
|
||||
};
|
||||
"penpot-exporter".service = {
|
||||
image = "penpotapp/exporter:latest";
|
||||
restart = "always";
|
||||
networks = [ "penpot" ];
|
||||
environment = {
|
||||
"PENPOT_PUBLIC_URI" = "http://penpot-frontend";
|
||||
|
@ -58,7 +55,6 @@
|
|||
};
|
||||
"penpot-postgres".service = {
|
||||
image = "postgres:15";
|
||||
restart = "always";
|
||||
stop_signal = "SIGINT";
|
||||
volumes = [ "/penpot_postgres_v15:/var/lib/postgresql/data" ];
|
||||
networks = [ "penpot" ];
|
||||
|
@ -71,7 +67,6 @@
|
|||
};
|
||||
"penpot-redis".service = {
|
||||
image = "redis:7";
|
||||
restart = "always";
|
||||
networks = [ "penpot" ];
|
||||
};
|
||||
};
|
||||
|
|
|
@ -6,27 +6,27 @@
|
|||
certs = {
|
||||
"schrottkatze.de" = {
|
||||
group = "nginx";
|
||||
keyType = "rsa2048";
|
||||
keyType = "rsa4096";
|
||||
};
|
||||
"vw.schrottkatze.de" = {
|
||||
group = "nginx";
|
||||
keyType = "rsa2048";
|
||||
keyType = "rsa4096";
|
||||
};
|
||||
"wolke.schrottkatze.de" = {
|
||||
group = "nginx";
|
||||
keyType = "rsa2048";
|
||||
keyType = "rsa4096";
|
||||
};
|
||||
"s10e.de" = {
|
||||
group = "nginx";
|
||||
keyType = "rsa2048";
|
||||
keyType = "rsa4096";
|
||||
};
|
||||
"synapse.schrottkatze.de" = {
|
||||
group = "nginx";
|
||||
keyType = "rsa2048";
|
||||
keyType = "rsa4096";
|
||||
};
|
||||
"pp.schrottkatze.de" = {
|
||||
group = "nginx";
|
||||
keyType = "rsa2048";
|
||||
keyType = "rsa4096";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
Binary file not shown.
Loading…
Reference in a new issue