From 26aaec910130e04e90f70244b105218e7f451b65 Mon Sep 17 00:00:00 2001 From: Ingolf Wagner Date: Thu, 8 Aug 2024 19:25:19 +0200 Subject: [PATCH] fixing fail2ban and set up ssh + tor on chungus --- components/network/default.nix | 1 - components/network/sshd/default.nix | 11 ----------- .../network/sshd/known-hosts-zerotier.nix | 18 ++++++++++++++---- features/boot/ssh.nix | 1 + features/default.nix | 5 ++++- features/network/default.nix | 6 ++++++ {components => features}/network/fail2ban.nix | 10 +++++----- features/network/sshguard.nix | 18 ++++++++++++++++++ machines/cherry/configuration.nix | 1 - machines/chungus/configuration.nix | 3 ++- .../chungus/hardware-configuration/default.nix | 1 + machines/orbi/configuration.nix | 4 +--- 12 files changed, 52 insertions(+), 27 deletions(-) create mode 100644 features/network/default.nix rename {components => features}/network/fail2ban.nix (83%) create mode 100644 features/network/sshguard.nix diff --git a/components/network/default.nix b/components/network/default.nix index 4a0ba8c..fd452b9 100644 --- a/components/network/default.nix +++ b/components/network/default.nix @@ -11,7 +11,6 @@ with types; imports = [ #./avahi.nix - ./fail2ban.nix ./hosts.nix ./nginx.nix ./sshd diff --git a/components/network/sshd/default.nix b/components/network/sshd/default.nix index 40293af..9d9bbc6 100644 --- a/components/network/sshd/default.nix +++ b/components/network/sshd/default.nix @@ -11,7 +11,6 @@ let echo "${config.networking.hostName}" | boxes -d ansi -s 80x1 -a r > $out ''; - in { @@ -31,10 +30,6 @@ in default = [ ]; description = "keys to root login"; }; - sshguard.enable = mkOption { - type = bool; - default = config.components.network.sshd.enable; - }; onlyTincAccess = mkOption { type = bool; default = false; @@ -71,12 +66,6 @@ in }) - (mkIf cfg.sshguard.enable { - environment.systemPackages = [ pkgs.ipset ]; - services.sshguard.enable = lib.mkDefault true; - #boot.kernelModules = ["xt_set"]; - }) - (mkIf (cfg.onlyTincAccess && cfg.enable) { networking.firewall.extraCommands = '' iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0 diff --git a/components/network/sshd/known-hosts-zerotier.nix b/components/network/sshd/known-hosts-zerotier.nix index 66ac93d..13fb191 100644 --- a/components/network/sshd/known-hosts-zerotier.nix +++ b/components/network/sshd/known-hosts-zerotier.nix @@ -9,9 +9,6 @@ let (machine: { hostNames = [ - "[${machine}]:2222" - "[${machine}.${tld}]:2222" - "[${machine}.private]:2222" "${machine}" "${machine}.${tld}" "${machine}.private" @@ -19,6 +16,19 @@ let publicKey = publicKey machine; } ); + bootMachines = clanLib.readFactFromAllMachines "ssh.boot.id_ed25519.pub"; + knownBootHosts = lib.mapAttrs' + (machine: publicKey: nameValuePair + "boot_${machine}" + { + inherit publicKey; + hostNames = [ + "[${machine}]:2222" + "[${machine}.public]:2222" + ]; + } + ) + bootMachines; in { @@ -30,6 +40,6 @@ in }; config = mkIf config.components.network.zerotier.enable { - services.openssh.knownHosts = knownHosts; + services.openssh.knownHosts = knownHosts // knownBootHosts; }; } diff --git a/features/boot/ssh.nix b/features/boot/ssh.nix index a8674ab..6d56432 100644 --- a/features/boot/ssh.nix +++ b/features/boot/ssh.nix @@ -21,6 +21,7 @@ with types; # ssh host key clan.core.facts.services."boot.ssh" = factsGenerator.ssh { name = "boot"; }; + # todo: maybe put this in a component # boot boot.initrd.systemd.enable = true; boot.initrd.systemd.contents."/etc/hostname".text = "unlock.${config.networking.hostName}"; diff --git a/features/default.nix b/features/default.nix index 98f8788..0bbc229 100644 --- a/features/default.nix +++ b/features/default.nix @@ -1,3 +1,6 @@ { - imports = [ ./boot ]; + imports = [ + ./boot + ./network + ]; } diff --git a/features/network/default.nix b/features/network/default.nix new file mode 100644 index 0000000..40896a0 --- /dev/null +++ b/features/network/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./fail2ban.nix + ./sshguard.nix + ]; +} diff --git a/components/network/fail2ban.nix b/features/network/fail2ban.nix similarity index 83% rename from components/network/fail2ban.nix rename to features/network/fail2ban.nix index 707eadb..22bd3b6 100644 --- a/components/network/fail2ban.nix +++ b/features/network/fail2ban.nix @@ -1,14 +1,14 @@ { config, lib, pkgs, ... }: with lib; { - options.components.network.fail2ban.enable = mkOption { + options.features.network.fail2ban.enable = mkOption { type = lib.types.bool; default = false; }; config = mkMerge [ - (mkIf config.components.network.fail2ban.enable { - environment.systemPackages = [ pkgs.fail2ban pkgs.ipset ]; + (mkIf config.features.network.fail2ban.enable { + environment.systemPackages = [ pkgs.fail2ban ]; services.fail2ban = { enable = true; #package = pkgs.legacy_2311.fail2ban; @@ -19,7 +19,7 @@ with lib; # custom defined jails # -------------------- # https://github.com/fail2ban/fail2ban/blob/master/config/jail.conf - (mkIf config.components.network.fail2ban.enable { + (mkIf config.features.network.fail2ban.enable { services.fail2ban.jails.nginx-git-not-found.settings = { port = "http,https"; logpath = "%(nginx_error_log)s"; @@ -33,7 +33,7 @@ with lib; ''; }; }) - (mkIf config.components.network.fail2ban.enable { + (mkIf config.features.network.fail2ban.enable { services.fail2ban.jails.nginx-git-bad-request.settings = { port = "http,https"; logpath = "%(nginx_error_log)s"; diff --git a/features/network/sshguard.nix b/features/network/sshguard.nix new file mode 100644 index 0000000..e20aec2 --- /dev/null +++ b/features/network/sshguard.nix @@ -0,0 +1,18 @@ +{ pkgs, config, lib, assets, ... }: +with lib; +with types; +{ + + options.features.network.sshguard = { + enable = mkOption { + type = bool; + default = false; + }; + }; + + config = mkIf config.features.network.sshguard.enable { + environment.systemPackages = [ pkgs.ipset ]; + services.sshguard.enable = true; + }; + +} diff --git a/machines/cherry/configuration.nix b/machines/cherry/configuration.nix index c2286bd..703684b 100644 --- a/machines/cherry/configuration.nix +++ b/machines/cherry/configuration.nix @@ -43,7 +43,6 @@ components.media.enable = true; components.media.tts-client.enable = false; components.network.enable = true; - components.network.sshd.sshguard.enable = false; components.network.wifi.enable = true; components.terminal.enable = true; diff --git a/machines/chungus/configuration.nix b/machines/chungus/configuration.nix index fc5e110..2d2e2c6 100644 --- a/machines/chungus/configuration.nix +++ b/machines/chungus/configuration.nix @@ -55,7 +55,9 @@ components.network.wifi.enable = false; components.terminal.enable = true; + features.boot.ssh.enable = true; features.boot.ssh.kernelModules = [ "e1000e" ]; + features.boot.tor.enable = true; components.monitor.enable = true; components.monitor.opentelemetry.receiver.endpoint = "0.0.0.0:4317"; @@ -68,7 +70,6 @@ networking.hostName = "chungus"; - hardware.graphics.enable = true; hardware.graphics.enable32Bit = true; hardware.graphics.extraPackages = with pkgs; [ diff --git a/machines/chungus/hardware-configuration/default.nix b/machines/chungus/hardware-configuration/default.nix index 60488a0..3e2c559 100644 --- a/machines/chungus/hardware-configuration/default.nix +++ b/machines/chungus/hardware-configuration/default.nix @@ -7,6 +7,7 @@ boot.loader.efi.canTouchEfiVariables = true; boot.loader.systemd-boot.enable = true; + boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!) boot.supportedFilesystems = [ "zfs" ]; diff --git a/machines/orbi/configuration.nix b/machines/orbi/configuration.nix index 4d151b6..23dc79a 100644 --- a/machines/orbi/configuration.nix +++ b/machines/orbi/configuration.nix @@ -47,9 +47,7 @@ components.network.nginx.landingpage.enable = false; components.network.wifi.enable = false; - components.network.fail2ban.enable = true; - components.network.sshd.sshguard.enable = false; - + features.network.fail2ban.enable = true; features.boot.ssh.enable = true; components.monitor.enable = true;