update

2024-06-23 17:52:19 +02:00
parent f8786dd24f
commit c5420f8d3a
30 changed files with 50 additions and 74 deletions
--- a/hosts/server/modules/internal/adguard.nix
+++ b/hosts/server/modules/internal/adguard.nix
@@ -0,0 +1,12 @@
+# Network-wide ads & trackers blocking DNS server
+# Change your router primary DNS server to {this server IP} to make it network wide.
+{
+  services.adguardhome = {
+    enable = false;
+    host = "0.0.0.0";
+    port = 3000;
+    allowDHCP = true;
+    openFirewall = true;
+  };
+  networking.firewall.allowedTCPPorts = [ 53 3000 ];
+}
--- a/hosts/server/modules/internal/openssh.nix
+++ b/hosts/server/modules/internal/openssh.nix
@@ -0,0 +1,15 @@
+# SSH server
+{
+  services.openssh = {
+    enable = true;
+    ports = [ 22 ];
+    settings = {
+      PasswordAuthentication = true;
+      AllowUsers = null; # Allows all users by default. Can be [ "user1" "user2" ]
+      UseDns = true;
+      X11Forwarding = false;
+      PermitRootLogin = "no"; # "yes", "without-password", "prohibit-password", "forced-commands-only", "no"
+    };
+  };
+  networking.firewall.allowedTCPPorts = [ 22 ];
+}
--- a/hosts/server/modules/internal/security.nix
+++ b/hosts/server/modules/internal/security.nix
@@ -0,0 +1,8 @@
+# Firewall & fail2ban
+{
+    networking.firewall.enable = true;
+    services.fail2ban = {
+        enable = true;
+        maxretry = 5;
+    };
+}
--- a/hosts/server/modules/internal/sops.nix
+++ b/hosts/server/modules/internal/sops.nix
@@ -0,0 +1,30 @@
+{
+
+  sops = {
+    age.keyFile = "/home/hadi/.config/sops/age/keys.txt";
+    defaultSopsFile = ../../../secrets/server.yaml;
+    defaultSopsFormat = "yaml";
+    secrets = {
+      sshconfig = {
+        path = "/home/hadi/.ssh/config";
+        owner = "hadi";
+      };
+      github-key = {
+        path = "/home/hadi/.ssh/github";
+        owner = "hadi";
+      };
+      nextcloud-adminpass = {
+        mode = "0444"; # FIXME
+        path = "/etc/nextcloud/adminpassFile";
+      };
+      cloudflare-apitoken = {
+        mode = "0444"; # FIXME
+        path = "/etc/cloudflare/apiToken";
+      };
+      tailscaled-authKey = {
+        mode = "0444"; # FIXME
+        path = "/etc/tailscale/authKey";
+      };
+    };
+  };
+}
--- a/hosts/server/modules/internal/unifi.nix
+++ b/hosts/server/modules/internal/unifi.nix
@@ -0,0 +1,7 @@
+# unifi controller service
+{
+  services.unifi = {
+    enable = true;
+    openFirewall = true; # 8443(webui) and other port use by AP
+  };
+}