summary refs log tree commit diff stats
path: root/modules
diff options
context:
space:
mode:
Diffstat (limited to 'modules')
-rw-r--r--modules/by-name/fa/fail2ban/module.nix57
-rw-r--r--modules/by-name/ru/rust-motd/module.nix82
-rw-r--r--modules/by-name/us/users/module.nix82
3 files changed, 221 insertions, 0 deletions
diff --git a/modules/by-name/fa/fail2ban/module.nix b/modules/by-name/fa/fail2ban/module.nix
new file mode 100644
index 0000000..a95e267
--- /dev/null
+++ b/modules/by-name/fa/fail2ban/module.nix
@@ -0,0 +1,57 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.vhack.fail2ban;
+in {
+  options.vhack.fail2ban = {
+    enable = lib.mkEnableOption "fail2ban";
+  };
+
+  config = lib.mkIf cfg.enable {
+    vhack.persist.directories = [
+      {
+        directory = "/var/lib/fail2ban";
+        user = "fail2ban";
+        group = "fail2ban";
+        mode = "0700";
+      }
+    ];
+
+    services.fail2ban = {
+      enable = true;
+      maxretry = 7; # ban after 7 failures
+      daemonSettings = {
+        Definition = {
+          logtarget = "SYSLOG";
+          socket = "/run/fail2ban/fail2ban.sock";
+          pidfile = "/run/fail2ban/fail2ban.pid";
+          dbfile = "/var/lib/fail2ban/db.sqlite3";
+        };
+      };
+      bantime-increment = {
+        enable = true;
+        rndtime = "8m";
+        overalljails = true;
+        multipliers = "2 4 16 128 256";
+        maxtime = "72h";
+      };
+      jails = {
+        dovecot = ''
+          # block IPs which failed to log-in
+          # aggressive mode add blocking for aborted connections
+          enabled = true
+          filter = dovecot[mode=aggressive]
+          maxretry = 2
+        '';
+        postfix = ''
+          enabled = true
+          filter = postfix[mode=aggressive]
+          findtime = 600
+          maxretry = 3
+        '';
+      };
+    };
+  };
+}
diff --git a/modules/by-name/ru/rust-motd/module.nix b/modules/by-name/ru/rust-motd/module.nix
new file mode 100644
index 0000000..ee88762
--- /dev/null
+++ b/modules/by-name/ru/rust-motd/module.nix
@@ -0,0 +1,82 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  cfg = config.vhack.rust-motd;
+in {
+  options.vhack.rust-motd = {
+    enable = lib.mkEnableOption "rust-motd";
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.rust-motd = {
+      path = with pkgs; [
+        bash
+        fail2ban # Needed for rust-motd fail2ban integration
+      ];
+    };
+
+    programs.rust-motd = {
+      enable = true;
+      enableMotdInSSHD = true;
+      refreshInterval = "*:0/5"; # 0/5 means: hour 0 AND all hour wich match (0 + 5 * x) (is the same as: 0, 5, 10, 15, 20)
+
+      # An example is here: https://raw.githubusercontent.com/rust-motd/rust-motd/refs/heads/main/example_config.toml
+      settings = {
+        global = {
+          progress_full_character = "=";
+          progress_empty_character = "-";
+          progress_prefix = "[";
+          progress_suffix = "]";
+          time_format = "%Y-%m-%d %H:%M:%S";
+        };
+
+        banner = {
+          color = "red";
+          command = "${pkgs.hostname}/bin/hostname | ${pkgs.figlet}/bin/figlet -f slant";
+          # if you don't want a dependency on figlet, you can generate your
+          # banner however you want, put it in a file, and then use something like:
+          # command = "cat banner.txt"
+        };
+
+        uptime = {
+          prefix = "Uptime:";
+        };
+
+        # ssl_certificates = {
+        #   sort_method = "manual";
+        #
+        #   certs = {
+        #     "server1.vhack.eu" = "/var/lib/acme/server1.vhack.eu/cert.pem";
+        #     "vhack.eu" = "/var/lib/acme/vhack.eu/cert.pem";
+        #   };
+        # };
+
+        filesystems = {
+          root = "/";
+          persistent = "/srv";
+          store = "/nix";
+          boot = "/boot";
+        };
+
+        memory = {
+          swap_pos = "beside"; # or "below" or "none"
+        };
+
+        fail2_ban = {
+          jails = ["sshd"]; #, "anotherjail"]
+        };
+
+        last_login = {
+          sils = 2;
+          soispha = 2;
+          nightingale = 2;
+        };
+
+        last_run = {};
+      };
+    };
+  };
+}
diff --git a/modules/by-name/us/users/module.nix b/modules/by-name/us/users/module.nix
new file mode 100644
index 0000000..bdffbdc
--- /dev/null
+++ b/modules/by-name/us/users/module.nix
@@ -0,0 +1,82 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  cfg = config.vhack.users;
+
+  mkUser = {
+    name,
+    password,
+    uid,
+    sshKey,
+  }: {
+    inherit name;
+    value = {
+      inherit name uid;
+      isNormalUser = true;
+      home = "/home/${name}";
+      initialHashedPassword = password;
+      extraGroups = [
+        "wheel"
+      ];
+      openssh.authorizedKeys.keys = [
+        sshKey
+      ];
+    };
+  };
+
+  extraUsers = lib.listToAttrs (builtins.map mkUser [
+    {
+      name = "soispha";
+      password = "$y$jFT$3.8XmUyukZvpExMUxDZkI.$IVrJgm8ysNDF/0vDD2kF6w73ozXgr1LMVRNN4Bq7pv1";
+      sshKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIME4ZVa+IoZf6T3U08JG93i6QIAJ4amm7mkBzO14JSkz cardno:000F_18F83532";
+      uid = 1000;
+    }
+    {
+      name = "sils";
+      password = "$y$jFT$KpFnahVCE9JbE.5P3us8o.$ZzSxCusWqe3sL7b6DLgOXNNUf114tiiptM6T8lDxtKC";
+      sshKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAe4o1PM6VasT3KZNl5NYvgkkBrPOg36dqsywd10FztS openpgp:0x21D20D6A";
+      uid = 1001;
+    }
+  ]);
+in {
+  options.vhack.users = {
+    enable = lib.mkEnableOption "user setup";
+  };
+
+  config = lib.mkIf cfg.enable {
+    users = {
+      mutableUsers = false;
+      defaultUserShell = pkgs.bashInteractive;
+
+      users =
+        {
+          root = {
+            initialHashedPassword = null; # to lock root
+            openssh.authorizedKeys.keys = [];
+          };
+        }
+        // extraUsers;
+
+      # TODO(@bpeetz): Is this still relevant?
+      #                If it is, it should be moved to a separate module. <2024-12-24>
+      #     nixremote = {
+      #       name = "nixremote";
+      #       isNormalUser = true;
+      #       createHome = true;
+      #       home = "/home/nixremote";
+      #       uid = 1003;
+      #       group = "nixremote";
+      #       openssh.authorizedKeys.keys = [
+      #         "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCbSWqFzb+WTq2JVoRGoTkCkP7AM3bNY91bsUBeoQQc8gKAWuqCrpAOmr2Q2QMaTTGEOM0CsWfWLs3ZYtynHmc7wIFc4T/sUloV+dB9oSCmOk5ePxtj8+gpPK35Ja+ug5zmXsaI4s+n9mEbuuEjn33MxDYCUzAI+aWvWe68u/j+FM3u9c3Ta009rotajjSZ/cmIltgNLsG1rnAZRpwmLVg5UL4cb9um54o/NLYFd2KAekQFVbwUQDzzqriZhWmzkfhnznBMDblf9R1xvZ18Lqv3JF21shdaR43NW1wtuntBvAdsVYK2VUEbj+3MxTkK0aQ/E9SHMtH8MRE4oxU74TeTWfIhuSZk9/wekzSNMkHP3ReFC6B9xCMYa+ZqaTaGSWLQi78AQDeM2F9rAfp3hQzyRa7T7qKlgbae/hEb07xZglqmG7eml9vPSt4AHv5Y176Q95NiiWduGoLQOmjvSBMU9/KEGrGKyLfGH1Wa2EOfPxKKcvcHW0Xi9PlPiuP0nYk= root@thinklappi"
+      #       ];
+      #     };
+      #   };
+      #   groups.nixremote = {
+      #     gid = 1004;
+      #   };
+    };
+  };
+}