diff options
author | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2024-12-24 17:59:52 +0100 |
---|---|---|
committer | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2024-12-24 17:59:52 +0100 |
commit | 8245579c8af73c8f40f5978878c7944c814ba04f (patch) | |
tree | 006caa951e345f481be3b91b85bcfda1061956d9 /modules/by-name | |
parent | refactor(modules/impermanence): Migrate to by-name while distributing mods (diff) | |
download | nixos-server-8245579c8af73c8f40f5978878c7944c814ba04f.tar.gz nixos-server-8245579c8af73c8f40f5978878c7944c814ba04f.zip |
[WIP]
Diffstat (limited to 'modules/by-name')
-rw-r--r-- | modules/by-name/fa/fail2ban/module.nix | 57 | ||||
-rw-r--r-- | modules/by-name/ru/rust-motd/module.nix | 82 | ||||
-rw-r--r-- | modules/by-name/us/users/module.nix | 82 |
3 files changed, 221 insertions, 0 deletions
diff --git a/modules/by-name/fa/fail2ban/module.nix b/modules/by-name/fa/fail2ban/module.nix new file mode 100644 index 0000000..a95e267 --- /dev/null +++ b/modules/by-name/fa/fail2ban/module.nix @@ -0,0 +1,57 @@ +{ + config, + lib, + ... +}: let + cfg = config.vhack.fail2ban; +in { + options.vhack.fail2ban = { + enable = lib.mkEnableOption "fail2ban"; + }; + + config = lib.mkIf cfg.enable { + vhack.persist.directories = [ + { + directory = "/var/lib/fail2ban"; + user = "fail2ban"; + group = "fail2ban"; + mode = "0700"; + } + ]; + + services.fail2ban = { + enable = true; + maxretry = 7; # ban after 7 failures + daemonSettings = { + Definition = { + logtarget = "SYSLOG"; + socket = "/run/fail2ban/fail2ban.sock"; + pidfile = "/run/fail2ban/fail2ban.pid"; + dbfile = "/var/lib/fail2ban/db.sqlite3"; + }; + }; + bantime-increment = { + enable = true; + rndtime = "8m"; + overalljails = true; + multipliers = "2 4 16 128 256"; + maxtime = "72h"; + }; + jails = { + dovecot = '' + # block IPs which failed to log-in + # aggressive mode add blocking for aborted connections + enabled = true + filter = dovecot[mode=aggressive] + maxretry = 2 + ''; + postfix = '' + enabled = true + filter = postfix[mode=aggressive] + findtime = 600 + maxretry = 3 + ''; + }; + }; + }; +} diff --git a/modules/by-name/ru/rust-motd/module.nix b/modules/by-name/ru/rust-motd/module.nix new file mode 100644 index 0000000..ee88762 --- /dev/null +++ b/modules/by-name/ru/rust-motd/module.nix @@ -0,0 +1,82 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.vhack.rust-motd; +in { + options.vhack.rust-motd = { + enable = lib.mkEnableOption "rust-motd"; + }; + + config = lib.mkIf cfg.enable { + systemd.services.rust-motd = { + path = with pkgs; [ + bash + fail2ban # Needed for rust-motd fail2ban integration + ]; + }; + + programs.rust-motd = { + enable = true; + enableMotdInSSHD = true; + refreshInterval = "*:0/5"; # 0/5 means: hour 0 AND all hour wich match (0 + 5 * x) (is the same as: 0, 5, 10, 15, 20) + + # An example is here: https://raw.githubusercontent.com/rust-motd/rust-motd/refs/heads/main/example_config.toml + settings = { + global = { + progress_full_character = "="; + progress_empty_character = "-"; + progress_prefix = "["; + progress_suffix = "]"; + time_format = "%Y-%m-%d %H:%M:%S"; + }; + + banner = { + color = "red"; + command = "${pkgs.hostname}/bin/hostname | ${pkgs.figlet}/bin/figlet -f slant"; + # if you don't want a dependency on figlet, you can generate your + # banner however you want, put it in a file, and then use something like: + # command = "cat banner.txt" + }; + + uptime = { + prefix = "Uptime:"; + }; + + # ssl_certificates = { + # sort_method = "manual"; + # + # certs = { + # "server1.vhack.eu" = "/var/lib/acme/server1.vhack.eu/cert.pem"; + # "vhack.eu" = "/var/lib/acme/vhack.eu/cert.pem"; + # }; + # }; + + filesystems = { + root = "/"; + persistent = "/srv"; + store = "/nix"; + boot = "/boot"; + }; + + memory = { + swap_pos = "beside"; # or "below" or "none" + }; + + fail2_ban = { + jails = ["sshd"]; #, "anotherjail"] + }; + + last_login = { + sils = 2; + soispha = 2; + nightingale = 2; + }; + + last_run = {}; + }; + }; + }; +} diff --git a/modules/by-name/us/users/module.nix b/modules/by-name/us/users/module.nix new file mode 100644 index 0000000..bdffbdc --- /dev/null +++ b/modules/by-name/us/users/module.nix @@ -0,0 +1,82 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.vhack.users; + + mkUser = { + name, + password, + uid, + sshKey, + }: { + inherit name; + value = { + inherit name uid; + isNormalUser = true; + home = "/home/${name}"; + initialHashedPassword = password; + extraGroups = [ + "wheel" + ]; + openssh.authorizedKeys.keys = [ + sshKey + ]; + }; + }; + + extraUsers = lib.listToAttrs (builtins.map mkUser [ + { + name = "soispha"; + password = "$y$jFT$3.8XmUyukZvpExMUxDZkI.$IVrJgm8ysNDF/0vDD2kF6w73ozXgr1LMVRNN4Bq7pv1"; + sshKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIME4ZVa+IoZf6T3U08JG93i6QIAJ4amm7mkBzO14JSkz cardno:000F_18F83532"; + uid = 1000; + } + { + name = "sils"; + password = "$y$jFT$KpFnahVCE9JbE.5P3us8o.$ZzSxCusWqe3sL7b6DLgOXNNUf114tiiptM6T8lDxtKC"; + sshKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAe4o1PM6VasT3KZNl5NYvgkkBrPOg36dqsywd10FztS openpgp:0x21D20D6A"; + uid = 1001; + } + ]); +in { + options.vhack.users = { + enable = lib.mkEnableOption "user setup"; + }; + + config = lib.mkIf cfg.enable { + users = { + mutableUsers = false; + defaultUserShell = pkgs.bashInteractive; + + users = + { + root = { + initialHashedPassword = null; # to lock root + openssh.authorizedKeys.keys = []; + }; + } + // extraUsers; + + # TODO(@bpeetz): Is this still relevant? + # If it is, it should be moved to a separate module. <2024-12-24> + # nixremote = { + # name = "nixremote"; + # isNormalUser = true; + # createHome = true; + # home = "/home/nixremote"; + # uid = 1003; + # group = "nixremote"; + # openssh.authorizedKeys.keys = [ + # "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCbSWqFzb+WTq2JVoRGoTkCkP7AM3bNY91bsUBeoQQc8gKAWuqCrpAOmr2Q2QMaTTGEOM0CsWfWLs3ZYtynHmc7wIFc4T/sUloV+dB9oSCmOk5ePxtj8+gpPK35Ja+ug5zmXsaI4s+n9mEbuuEjn33MxDYCUzAI+aWvWe68u/j+FM3u9c3Ta009rotajjSZ/cmIltgNLsG1rnAZRpwmLVg5UL4cb9um54o/NLYFd2KAekQFVbwUQDzzqriZhWmzkfhnznBMDblf9R1xvZ18Lqv3JF21shdaR43NW1wtuntBvAdsVYK2VUEbj+3MxTkK0aQ/E9SHMtH8MRE4oxU74TeTWfIhuSZk9/wekzSNMkHP3ReFC6B9xCMYa+ZqaTaGSWLQi78AQDeM2F9rAfp3hQzyRa7T7qKlgbae/hEb07xZglqmG7eml9vPSt4AHv5Y176Q95NiiWduGoLQOmjvSBMU9/KEGrGKyLfGH1Wa2EOfPxKKcvcHW0Xi9PlPiuP0nYk= root@thinklappi" + # ]; + # }; + # }; + # groups.nixremote = { + # gid = 1004; + # }; + }; + }; +} |