diff --git a/configuration.nix b/configuration.nix index 9cd284b..2045d3f 100755 --- a/configuration.nix +++ b/configuration.nix @@ -23,8 +23,8 @@ ./modules/git.nix ./modules/nix-settings.nix ./modules/zfs.nix + ./modules/microvm.nix - (import ./modules/microvm.nix {routed = true;}) (import ./modules/networking-shared.nix {hostname = "server";}) (import ./modules/users.nix {main-user = "baritone";}) ]; @@ -39,21 +39,11 @@ # Enable microcode updates hardware.enableRedistributableFirmware = true; - # programs.zsh = { - # enable = true; - # enableGlobalCompInit = true; - # shellAliases = { - # "nrb" = "sudo nixos-rebuild switch --flake /etc/nixos"; - # }; - # }; - environment.systemPackages = with pkgs; [ wget curl git vim - - inputs.agenix.packages."${system}".default ]; programs.nano.enable = false; diff --git a/modules/age.nix b/modules/age.nix index 5e3261a..377b000 100644 --- a/modules/age.nix +++ b/modules/age.nix @@ -1,8 +1,15 @@ -{config, ...}: { +{ + config, + pkgs, + inputs, + ... +}: { age.identityPaths = [ "/home/baritone/.ssh/id_ed25519" ]; age.secrets = { forgejo-runner-token.file = ../secrets/forgejo-runner-token.age; }; + + environment.systemPackages = [inputs.agenix.packages."${pkgs.system}".default]; } diff --git a/modules/microvm.nix b/modules/microvm.nix index fecdc2b..abd03dc 100755 --- a/modules/microvm.nix +++ b/modules/microvm.nix @@ -1,4 +1,4 @@ -{routed ? false}: { +{ pkgs, config, ... diff --git a/modules/zfs.nix b/modules/zfs.nix index 0277261..b491232 100755 --- a/modules/zfs.nix +++ b/modules/zfs.nix @@ -8,8 +8,4 @@ environment.systemPackages = with pkgs; [ zfs ]; - - # Microvm be fucking shit up - # fileSystems."/nix/store".fsType = lib.mkForce "zfs"; - # fileSystems."/nix/store".device = lib.mkForce "zroot/nix/store"; } diff --git a/services/auto-torrent.nix b/services/auto-torrent.nix index 75b0f2e..0d9f621 100644 --- a/services/auto-torrent.nix +++ b/services/auto-torrent.nix @@ -23,7 +23,10 @@ ports-list = (pkgs.lib.attrsets.mapAttrsToList (name: value: value.port) ports) ++ [9091]; in { microvm.autostart = [vm-name]; - imports = [./nginx.nix]; + imports = [ + ./nginx.nix + ../modules/microvm.nix + ]; users.extraUsers.microvm.extraGroups = [ "jellyfin" # access to media folder diff --git a/services/fail2ban.nix b/services/fail2ban.nix index 753b40e..2fc53cc 100755 --- a/services/fail2ban.nix +++ b/services/fail2ban.nix @@ -3,8 +3,34 @@ lib, config, ... -}: { - services.fail2ban = { +}: let + jails = { + forgejo = mkJail "forgejo" "^.*Failed authentication attempt for .* from .*$"; + jellyfin = mkJail "jellyfin" "^.*Authentication request for .* has been denied \\(IP: \\)\\."; + sonarr = mkJail "sonarr" "^.*Auth-Failure ip username.*$"; + radarr = mkJail "sonarr" "^.*Auth-Failure ip username.*$"; + vaultwarden = mkJail "vaultwarden" "^.*Username or password is incorrect. Try again. IP: \\. Username: .*$"; + }; + + mkJail = name: filter: { + jail.settings = { + enabled = true; + filter = name; + backend = "systemd"; + port = "80,443"; + maxretry = 8; + bantime = "24h"; + findtime = "30m"; + journalmatch = "_SYSTEMD_UNIT=${name}.service"; + }; + filter = '' + [Definition] + failregex = ${filter} + ''; + }; +in { + services.fail2ban = let + in { enable = true; bantime = "24h"; @@ -15,106 +41,34 @@ overalljails = true; }; - jails = { - dovecot = lib.mkIf config.services.dovecot2.enable { - settings = { - # block IPs which failed to log-in - # aggressive mode add blocking for aborted connections - filter = "dovecot[mode=aggressive]"; - maxretry = 3; + jails = + { + dovecot = lib.mkIf config.services.dovecot2.enable { + settings = { + # block IPs which failed to log-in + # aggressive mode add blocking for aborted connections + filter = "dovecot[mode=aggressive]"; + maxretry = 3; + }; }; - }; - - jellyfin = lib.mkIf config.services.jellyfin.enable { - settings = { - filter = "jellyfin"; - backend = "systemd"; - enabled = true; - port = "80,443"; - maxretry = 8; - bantime = "24h"; - findtime = "30m"; - journalmatch = "_SYSTEMD_UNIT=jellyfin.service"; - }; - }; - - forgejo = lib.mkIf config.services.forgejo.enable { - settings = { - filter = "forgejo"; - backend = "systemd"; - enabled = true; - port = "80,443"; - maxretry = 8; - bantime = "24h"; - findtime = "30m"; - journalmatch = "_SYSTEMD_UNIT=forgejo.service"; - }; - }; - - sonarr = lib.mkIf (config.microvm.vms."auto-torrent" != null) { - settings = { - filter = "arr"; - backend = "auto"; - enabled = true; - port = "80,443"; - maxretry = 8; - bantime = "24h"; - findtime = "30m"; - logpath = "/var/lib/auto-torrent/sonarr/logs/*.txt"; - }; - }; - radarr = lib.mkIf (config.microvm.vms."auto-torrent" != null) { - settings = { - filter = "arr"; - backend = "auto"; - enabled = true; - port = "80,443"; - maxretry = 8; - bantime = "24h"; - findtime = "30m"; - logpath = "/var/lib/auto-torrent/radarr/logs/*.txt"; - }; - }; - vaultwarden = lib.mkIf config.services.vaultwarden.enable { - settings = { - filter = "vaultwarden"; - backend = "systemd"; - enabled = true; - port = "80,443"; - maxretry = 8; - bantime = "24h"; - findtime = "30m"; - journalmatch = "_SYSTEMD_UNIT=vaultwarden.service"; - }; - }; - }; + } + // (lib.attrsets.mapAttrs (name: value: value.jail) jails); }; - environment.etc = { - # Jellyfin - "fail2ban/filter.d/jellyfin.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' - [Definition] - failregex = ^.*Authentication request for .* has been denied \(IP: \)\. - ''); - # Forgejo - "fail2ban/filter.d/forgejo.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' - [Definition] - failregex = ^.*Failed authentication attempt for .* from .*$ - ''); - # *arr - "fail2ban/filter.d/arr.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' - [Definition] - failregex = ^.*Auth-Failure ip username.*$ - ''); - # Vaultwarden - "fail2ban/filter.d/vaultwarden.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' - [Definition] - failregex = ^.*Username or password is incorrect. Try again. IP: \. Username: .*$ - ''); - # Defines a filter that detects URL probing by reading the Nginx access log - "fail2ban/filter.d/nginx-url-probe.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' - [Definition] - failregex = ^.*(GET /(wp-|admin|boaform|phpmyadmin|\.env|\.git)|\.(dll|so|cfm|asp)|(\?|&)(=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000|=PHPE9568F36-D428-11d2-A769-00AA001ACF42|=PHPE9568F35-D428-11d2-A769-00AA001ACF42|=PHPE9568F34-D428-11d2-A769-00AA001ACF42)|\\x[0-9a-zA-Z]{2}) - ''); - }; + environment.etc = + { + # Defines a filter that detects URL probing by reading the Nginx access log + "fail2ban/filter.d/nginx-url-probe.local".text = lib.mkDefault (lib.mkAfter '' + [Definition] + failregex = ^.*(GET /(wp-|admin|boaform|phpmyadmin|\.env|\.git)|\.(dll|so|cfm|asp)|(\?|&)(=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000|=PHPE9568F36-D428-11d2-A769-00AA001ACF42|=PHPE9568F35-D428-11d2-A769-00AA001ACF42|=PHPE9568F34-D428-11d2-A769-00AA001ACF42)|\\x[0-9a-zA-Z]{2}) + ''); + } + // (with lib.attrsets; + mapAttrs' ( + name: value: + nameValuePair + "fail2ban/filter.d/${name}.local" + {text = lib.mkDefault (lib.mkAfter value.filter);} + ) + jails); } diff --git a/services/gitea-actions-runner.nix b/services/gitea-actions-runner.nix index c4c9b8e..152c356 100644 --- a/services/gitea-actions-runner.nix +++ b/services/gitea-actions-runner.nix @@ -3,7 +3,10 @@ pkgs, ... }: { - imports = [./docker.nix]; + imports = [ + ./docker.nix + ../modules/age.nix + ]; services.gitea-actions-runner = { package = pkgs.forgejo-runner; instances = {