summary refs log tree commit diff stats
path: root/system/services
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--system/services/acme/default.nix30
-rw-r--r--system/services/default.nix12
-rw-r--r--system/services/fail2ban/default.nix30
-rw-r--r--system/services/firewall/default.nix11
-rw-r--r--system/services/minecraft/default.nix (renamed from services/services/minecraft.nix)0
-rw-r--r--system/services/nginx/default.nix15
-rw-r--r--system/services/nix/default.nix (renamed from services/services/nix.nix)0
-rw-r--r--system/services/opensshd/default.nix (renamed from services/services/opensshd.nix)1
-rw-r--r--system/services/rust-motd/default.nix (renamed from services/services/rust-motd.nix)28
9 files changed, 118 insertions, 9 deletions
diff --git a/system/services/acme/default.nix b/system/services/acme/default.nix
new file mode 100644
index 0000000..a163e77
--- /dev/null
+++ b/system/services/acme/default.nix
@@ -0,0 +1,30 @@
+{...}: {
+  users.users.nginx.extraGroups = ["acme"];
+
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "acmechallenge.vhack.eu" = {
+        serverAliases = ["*.vhack.eu"];
+        locations."/.well-known/acme-challenge" = {
+          root = "/var/lib/acme/.challenges";
+        };
+        locations."/" = {
+          return = "301 https://$host$request_uri";
+        };
+      };
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "admin@vhack.eu";
+    certs = {
+      "server1.vhack.eu" = {
+        webroot = "/var/lib/acme/.challenges";
+        group = "nginx";
+        extraDomainNames = ["imap.vhack.eu" "smtp.vhack.eu"];
+      };
+    };
+  };
+}
diff --git a/system/services/default.nix b/system/services/default.nix
new file mode 100644
index 0000000..6e5cb3c
--- /dev/null
+++ b/system/services/default.nix
@@ -0,0 +1,12 @@
+{config, ...}: {
+  imports = [
+    ./acme
+#  ./firewall
+    #./minecraft
+    ./nginx
+    ./nix
+    ./opensshd
+    ./rust-motd
+    ./fail2ban
+  ];
+}
diff --git a/system/services/fail2ban/default.nix b/system/services/fail2ban/default.nix
new file mode 100644
index 0000000..5aee097
--- /dev/null
+++ b/system/services/fail2ban/default.nix
@@ -0,0 +1,30 @@
+# vim: ts=2
+{...}: {
+  services.fail2ban = {
+    enable = true;
+    maxretry = 2; # ban after 2 failures
+    daemonConfig = ''
+      [Definition]
+      logtarget = SYSLOG
+      socket    = /run/fail2ban/fail2ban.sock
+      pidfile   = /run/fail2ban/fail2ban.pid
+      dbfile    = /srv/fail2ban/fail2ban.sqlite3
+    '';
+    bantime-increment = {
+      enable = true;
+      rndtime = "8m";
+      overalljails = true;
+      multipliers = "2 4 16 128 256";
+      maxtime = "72h";
+    };
+    jails = {
+      dovecot = ''
+        # block IPs which failed to log-in
+        # aggressive mode add blocking for aborted connections
+        enabled = true
+        filter = dovecot[mode=aggressive]
+        maxretry = 2
+      '';
+    };
+  };
+}
diff --git a/system/services/firewall/default.nix b/system/services/firewall/default.nix
new file mode 100644
index 0000000..23dbcc4
--- /dev/null
+++ b/system/services/firewall/default.nix
@@ -0,0 +1,11 @@
+# vim: ts=2
+{...}: {
+  networking.firewall = {
+    allowedTCPPorts = [
+      # for mail protocols:
+      465 # SMTP SSL
+      995 # POP3 SSL
+      993 # IMAP SSL
+    ];
+  };
+}
diff --git a/services/services/minecraft.nix b/system/services/minecraft/default.nix
index 754c974..754c974 100644
--- a/services/services/minecraft.nix
+++ b/system/services/minecraft/default.nix
diff --git a/system/services/nginx/default.nix b/system/services/nginx/default.nix
new file mode 100644
index 0000000..204783b
--- /dev/null
+++ b/system/services/nginx/default.nix
@@ -0,0 +1,15 @@
+{...}: {
+  networking.firewall = {
+    allowedTCPPorts = [80 443];
+  };
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "vhack.eu" = {
+        forceSSL = true;
+        enableACME = true;
+        root = "/srv/www/vhack.eu";
+      };
+    };
+  };
+}
diff --git a/services/services/nix.nix b/system/services/nix/default.nix
index bd562ec..bd562ec 100644
--- a/services/services/nix.nix
+++ b/system/services/nix/default.nix
diff --git a/services/services/opensshd.nix b/system/services/opensshd/default.nix
index cb9f2ba..75c5aef 100644
--- a/services/services/opensshd.nix
+++ b/system/services/opensshd/default.nix
@@ -8,7 +8,6 @@
     passwordAuthentication = false;
     hostKeys = [
       {
-        comment = "key comment";
         path = "/srv/sshd/ssh_host_ed25519_key";
         rounds = 1000;
         type = "ed25519";
diff --git a/services/services/rust-motd.nix b/system/services/rust-motd/default.nix
index 21bc1cd..1a41b32 100644
--- a/services/services/rust-motd.nix
+++ b/system/services/rust-motd/default.nix
@@ -3,6 +3,15 @@
   pkgs,
   ...
 }: {
+  systemd.services.rust-motd = {
+    path = builtins.attrValues {
+      inherit
+        (pkgs)
+        bash
+        fail2ban # Needed for rust-motd fail2ban integration
+        ;
+    };
+  };
   programs.rust-motd = {
     enable = true;
     enableMotdInSSHD = true;
@@ -45,17 +54,20 @@
       # [user_service_status]
       # gpg-agent = "gpg-agent"
 
-      #s_s_l_certs = {
-      # sort_method = "manual"
-      #
-      #    certs = {
-      #    CertName1 = "/path/to/cert1.pem"
-      #    CertName2 = "/path/to/cert2.pem"
-      # }
-      #};
+      s_s_l_certs = {
+        sort_method = "manual";
+
+        certs = {
+          "server1.vhack.eu" = "/var/lib/acme/server1.vhack.eu/cert.pem";
+          "vhack.eu" = "/var/lib/acme/vhack.eu/cert.pem";
+        };
+      };
 
       filesystems = {
         root = "/";
+        persistent = "/srv";
+        store = "/nix";
+        boot = "/boot";
       };
 
       memory = {
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-11-30 12:44:48 +0000