security improvements among other things

This commit is contained in:
Schrottkatze 2023-03-18 17:54:57 +01:00
parent bd85fdb12f
commit 1d2c6bb0f0
8 changed files with 66 additions and 32 deletions

View file

@ -40,7 +40,11 @@ with builtins;
};
services = {
openssh.enable = true;
openssh = {
passwordAuthentication = false;
kbdInteractiveAuthentication = false;
enable = true;
};
};
programs = {

View file

@ -6,5 +6,6 @@
./neovim.nix
./zsh.nix
./flatpak.nix
./firewall.nix
];
}

View file

@ -4,17 +4,6 @@
config = {
networking = {
networkmanager.wifi.backend = "iwd";
firewall = {
allowedTCPPorts = [
8384
22000
];
allowedUDPPorts = [
8080
22000
21027
];
};
extraHosts = ''
127.0.0.1 www.youtube.com
127.0.0.1 www.reddit.com

38
modules/firewall.nix Normal file
View file

@ -0,0 +1,38 @@
{ config, lib, pkgs, ... }:
{
config = {
networking = {
firewall = {
enable = true;
allowedTCPPorts = [
# ssh
22
# http, https
80 443
# syncthing web ui
8384
# syncthing
22000
# mumble
64738
];
allowedUDPPorts = [
8080
# other
12333
# syncthing discovery
21027
# mumble
64738
];
};
};
};
}

View file

@ -16,7 +16,8 @@
./microbin.nix
../modules/neovim.nix
../modules/zsh.nix
./synapse.nix
../modules/firewall.nix
#./synapse.nix
./penpot.nix
];
@ -28,6 +29,14 @@
serviceConfig.EnvironmentFile = "/etc/wordsofgod-bot/wordsofgod.env";
};
services = {
openssh.permitRootLogin = "no";
fail2ban = {
enable = true;
bantime-increment.enable = true;
};
};
jade = {
neovim.enable = true;
zsh.enable = true;
@ -43,8 +52,6 @@
networking.hostName = "schrottserver"; # Define your hostname.
networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
networking.firewall.enable = false;
# default settings for stateful data; don't change unless reinstall with newer version
system.stateVersion = "22.11"; # Did you read the comment?

View file

@ -9,8 +9,7 @@
services = {
"penpot-backend".service = {
image = "penpotapp/backend:latest";
volumes = [ "/penpot_assets:/var/lib/penpot/data/assets" ];
restart = "always";
volumes = [ "/penpot_assets:/opt/data/assets" ];
depends_on = [ "penpot-postgres" "penpot-redis" ];
networks = [ "penpot" ];
environment = {
@ -25,31 +24,29 @@
"PENPOT_REDIS_URI" = "redis://penpot-redis/0";
"PENPOT_ASSETS_STORAGE_BACKEND" = "assets-fs";
"PENPOT_STORAGE_ASSETS_FS_DIRECTORY" = "/var/lib/penpot/data/assets";
"PENPOT_STORAGE_ASSETS_FS_DIRECTORY" = "/opt/data/assets";
"PENPOT_TELEMETRY_ENABLED" = "false";
"PENPOT_SMTP_DEFAULT_FROM" = "noreply-pp@schrottkatze.de";
"PENPOT_SMTP_DEFAULT_REPLY_TO" = "noreply-pp@schrottkatze.de";
"PENPOT_SMTP_DEFAULT_FROM" = "Penpot <noreply-pp@schrottkatze.de>";
"PENPOT_SMTP_DEFAULT_REPLY_TO" = "Penpot <noreply-pp@schrottkatze.de>";
"PENPOT_SMTP_HOST" = "smtp.migadu.com";
"PENPOT_SMTP_PORT" = "587";
"PENPOT_SMTP_USERNAME" = "noreply-pp@schrottkatze.de";
"PENPOT_SMTP_PASSWORD" = builtins.readFile ../secret-data/penpot-smtp-pass;
"PENPOT_SMTP_PASSWORD" = "${builtins.readFile ../secret-data/penpot-smtp-pass}";
"PENPOT_SMTP_TLS" = "true";
"PENPOT_SMTP_SSL" = "false";
};
};
"penpot-frontend".service = {
image = "penpotapp/frontend:latest";
restart = "always";
ports = [ "9001:80" ];
volumes = [ "/penpot_assets:/var/lib/penpot/data/assets" ];
volumes = [ "/penpot_assets:/opt/data/assets" ];
depends_on = [ "penpot-backend" "penpot-exporter" ];
networks = [ "penpot" ];
};
"penpot-exporter".service = {
image = "penpotapp/exporter:latest";
restart = "always";
networks = [ "penpot" ];
environment = {
"PENPOT_PUBLIC_URI" = "http://penpot-frontend";
@ -58,7 +55,6 @@
};
"penpot-postgres".service = {
image = "postgres:15";
restart = "always";
stop_signal = "SIGINT";
volumes = [ "/penpot_postgres_v15:/var/lib/postgresql/data" ];
networks = [ "penpot" ];
@ -71,7 +67,6 @@
};
"penpot-redis".service = {
image = "redis:7";
restart = "always";
networks = [ "penpot" ];
};
};

View file

@ -6,27 +6,27 @@
certs = {
"schrottkatze.de" = {
group = "nginx";
keyType = "rsa2048";
keyType = "rsa4096";
};
"vw.schrottkatze.de" = {
group = "nginx";
keyType = "rsa2048";
keyType = "rsa4096";
};
"wolke.schrottkatze.de" = {
group = "nginx";
keyType = "rsa2048";
keyType = "rsa4096";
};
"s10e.de" = {
group = "nginx";
keyType = "rsa2048";
keyType = "rsa4096";
};
"synapse.schrottkatze.de" = {
group = "nginx";
keyType = "rsa2048";
keyType = "rsa4096";
};
"pp.schrottkatze.de" = {
group = "nginx";
keyType = "rsa2048";
keyType = "rsa4096";
};
};
};

Binary file not shown.