diff options
author | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2024-12-24 17:59:52 +0100 |
---|---|---|
committer | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2024-12-24 17:59:52 +0100 |
commit | 8245579c8af73c8f40f5978878c7944c814ba04f (patch) | |
tree | 006caa951e345f481be3b91b85bcfda1061956d9 /system | |
parent | refactor(modules/impermanence): Migrate to by-name while distributing mods (diff) | |
download | nixos-server-8245579c8af73c8f40f5978878c7944c814ba04f.tar.gz nixos-server-8245579c8af73c8f40f5978878c7944c814ba04f.zip |
[WIP]
Diffstat (limited to '')
-rw-r--r-- | system/default.nix | 2 | ||||
-rw-r--r-- | system/services/default.nix | 2 | ||||
-rw-r--r-- | system/services/fail2ban/default.nix | 45 | ||||
-rw-r--r-- | system/services/rust-motd/default.nix | 91 | ||||
-rw-r--r-- | system/users/default.nix | 100 |
5 files changed, 0 insertions, 240 deletions
diff --git a/system/default.nix b/system/default.nix index 4c80ed9..9fdd937 100644 --- a/system/default.nix +++ b/system/default.nix @@ -1,9 +1,7 @@ {...}: { imports = [ - ./impermanence ./packages ./secrets ./services - ./users ]; } diff --git a/system/services/default.nix b/system/services/default.nix index b8b617e..db7ca4f 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -1,6 +1,5 @@ {...}: { imports = [ - ./fail2ban ./invidious ./invidious-router ./mail @@ -11,7 +10,6 @@ ./murmur ./nix ./restic - ./rust-motd ./taskserver ]; } diff --git a/system/services/fail2ban/default.nix b/system/services/fail2ban/default.nix deleted file mode 100644 index 1c47568..0000000 --- a/system/services/fail2ban/default.nix +++ /dev/null @@ -1,45 +0,0 @@ -{...}: { - vhack.persist.directories = [ - { - directory = "/var/lib/fail2ban"; - user = "fail2ban"; - group = "fail2ban"; - mode = "0700"; - } - ]; - - services.fail2ban = { - enable = true; - maxretry = 7; # ban after 7 failures - daemonSettings = { - Definition = { - logtarget = "SYSLOG"; - socket = "/run/fail2ban/fail2ban.sock"; - pidfile = "/run/fail2ban/fail2ban.pid"; - dbfile = "/var/lib/fail2ban/db.sqlite3"; - }; - }; - bantime-increment = { - enable = true; - rndtime = "8m"; - overalljails = true; - multipliers = "2 4 16 128 256"; - maxtime = "72h"; - }; - jails = { - dovecot = '' - # block IPs which failed to log-in - # aggressive mode add blocking for aborted connections - enabled = true - filter = dovecot[mode=aggressive] - maxretry = 2 - ''; - postfix = '' - enabled = true - filter = postfix[mode=aggressive] - findtime = 600 - maxretry = 3 - ''; - }; - }; -} diff --git a/system/services/rust-motd/default.nix b/system/services/rust-motd/default.nix deleted file mode 100644 index 1a41b32..0000000 --- a/system/services/rust-motd/default.nix +++ /dev/null @@ -1,91 +0,0 @@ -{ - config, - pkgs, - ... -}: { - systemd.services.rust-motd = { - path = builtins.attrValues { - inherit - (pkgs) - bash - fail2ban # Needed for rust-motd fail2ban integration - ; - }; - }; - programs.rust-motd = { - enable = true; - enableMotdInSSHD = true; - refreshInterval = "*:0/5"; # 0/5 means: hour 0 AND all hour wich match (0 + 5 * x) (is the same as: 0, 5, 10, 15, 20) - settings = { - global = { - progress_full_character = "="; - progress_empty_character = "-"; - progress_prefix = "["; - progress_suffix = "]"; - time_format = "%Y-%m-%d %H:%M:%S"; - }; - - banner = { - color = "red"; - command = "${pkgs.hostname}/bin/hostname | ${pkgs.figlet}/bin/figlet -f slant"; - # if you don't want a dependency on figlet, you can generate your - # banner however you want, put it in a file, and then use something like: - # command = "cat banner.txt" - }; - - # [weather] - # url = "https://wttr.in/New+York,New+York?0" - # proxy = "http://proxy:8080" - - # [service_status] - # Accounts = "accounts-daemon" - # Cron = "cron" - - # [docker_status] - # Local containers MUST start with a slash - # https://github.com/moby/moby/issues/6705 - #"/nextcloud-nextcloud-1" = "Nextcloud" - #"/nextcloud-nextcloud-mariadb-1" = "Nextcloud Database" - - uptime = { - prefix = "Uptime:"; - }; - - # [user_service_status] - # gpg-agent = "gpg-agent" - - s_s_l_certs = { - sort_method = "manual"; - - certs = { - "server1.vhack.eu" = "/var/lib/acme/server1.vhack.eu/cert.pem"; - "vhack.eu" = "/var/lib/acme/vhack.eu/cert.pem"; - }; - }; - - filesystems = { - root = "/"; - persistent = "/srv"; - store = "/nix"; - boot = "/boot"; - }; - - memory = { - swap_pos = "beside"; # or "below" or "none" - }; - - fail2_ban = { - jails = ["sshd"]; #, "anotherjail"] - }; - - last_login = { - sils = 2; - soispha = 2; - nightingale = 2; - }; - - last_run = { - }; - }; - }; -} diff --git a/system/users/default.nix b/system/users/default.nix deleted file mode 100644 index 0da0515..0000000 --- a/system/users/default.nix +++ /dev/null @@ -1,100 +0,0 @@ -{pkgs, ...}: { - vhack.persist.directories = [ - { - directory = "/home"; - user = "root"; - group = "root"; - mode = "0755"; - } - { - directory = "/home/sils"; - user = "sils"; - group = "sils"; - mode = "0700"; - } - { - directory = "/home/soispha"; - user = "soispha"; - group = "soispha"; - mode = "0700"; - } - { - directory = "/home/nightingale"; - user = "nightingale"; - group = "nightingale"; - mode = "0700"; - } - { - directory = "/root/.ssh"; - user = "root"; - group = "root"; - mode = "0700"; - } - ]; - - users = { - mutableUsers = false; - defaultUserShell = pkgs.zsh; - users = { - root = { - initialHashedPassword = null; # to lock root - openssh.authorizedKeys.keys = []; - }; - - sils = { - name = "sils"; - isNormalUser = true; - home = "/home/sils"; - initialHashedPassword = "$y$jFT$KpFnahVCE9JbE.5P3us8o.$ZzSxCusWqe3sL7b6DLgOXNNUf114tiiptM6T8lDxtKC"; - uid = 1000; - extraGroups = [ - "wheel" - ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAe4o1PM6VasT3KZNl5NYvgkkBrPOg36dqsywd10FztS openpgp:0x21D20D6A" - ]; - }; - - soispha = { - name = "soispha"; - isNormalUser = true; - home = "/home/soispha"; - initialHashedPassword = "$y$jFT$3.8XmUyukZvpExMUxDZkI.$IVrJgm8ysNDF/0vDD2kF6w73ozXgr1LMVRNN4Bq7pv1"; - uid = 1001; - extraGroups = [ - "wheel" - ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIME4ZVa+IoZf6T3U08JG93i6QIAJ4amm7mkBzO14JSkz cardno:000F_18F83532" - ]; - }; - - nightingale = { - name = "nightingale"; - isNormalUser = true; - home = "/home/nightingale"; - initialHashedPassword = null; # TODO CHANGE - uid = 1002; - extraGroups = [ - "wheel" - ]; - openssh.authorizedKeys.keys = [ - ]; - }; - nixremote = { - name = "nixremote"; - isNormalUser = true; - createHome = true; - home = "/home/nixremote"; - uid = 1003; - group = "nixremote"; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCbSWqFzb+WTq2JVoRGoTkCkP7AM3bNY91bsUBeoQQc8gKAWuqCrpAOmr2Q2QMaTTGEOM0CsWfWLs3ZYtynHmc7wIFc4T/sUloV+dB9oSCmOk5ePxtj8+gpPK35Ja+ug5zmXsaI4s+n9mEbuuEjn33MxDYCUzAI+aWvWe68u/j+FM3u9c3Ta009rotajjSZ/cmIltgNLsG1rnAZRpwmLVg5UL4cb9um54o/NLYFd2KAekQFVbwUQDzzqriZhWmzkfhnznBMDblf9R1xvZ18Lqv3JF21shdaR43NW1wtuntBvAdsVYK2VUEbj+3MxTkK0aQ/E9SHMtH8MRE4oxU74TeTWfIhuSZk9/wekzSNMkHP3ReFC6B9xCMYa+ZqaTaGSWLQi78AQDeM2F9rAfp3hQzyRa7T7qKlgbae/hEb07xZglqmG7eml9vPSt4AHv5Y176Q95NiiWduGoLQOmjvSBMU9/KEGrGKyLfGH1Wa2EOfPxKKcvcHW0Xi9PlPiuP0nYk= root@thinklappi" - ]; - }; - }; - groups.nixremote = { - gid = 1004; - }; - }; -} |