nixos/shared-setups: init modules subset

This commit is contained in:
Gabriel Arazas 2024-09-18 09:26:06 +08:00
parent 9b1c1132b8
commit 30a39a2fd8
No known key found for this signature in database
GPG Key ID: 62104B43D00AA360
6 changed files with 174 additions and 0 deletions

View File

@ -1,6 +1,7 @@
{
imports = [
./extra-arguments.nix
./shared-setups/server
./state
./suites/archiving.nix
./suites/browsers.nix

View File

@ -0,0 +1,30 @@
{ config, lib, pkgs, ... }:
let
cfg = config.shared-setups.server.crowdsec;
in
{
options.shared-setups.server.crowdsec.enable =
lib.mkEnableOption "typical Crowdsec setup for public-facing servers";
config = lib.mkIf cfg.enable {
services.crowdsec = {
enable = true;
settings = {
common = {
daemonize = false;
log_media = "stdout";
};
};
plugins = {
http = {
settings = {
type = "http";
log_level = "info";
};
};
};
};
};
}

View File

@ -0,0 +1,8 @@
{
imports = [
./crowdsec.nix
./fail2ban.nix
./firewall.nix
./nginx.nix
];
}

View File

@ -0,0 +1,29 @@
{ config, lib, pkgs, ... }:
let
cfg = config.shared-setups.server.fail2ban;
in
{
options.shared-setups.server.fail2ban.enable =
lib.mkEnableOption "typical fail2ban configuration for public-facing servers";
config = lib.mkIf cfg.enable {
services.fail2ban = {
enable = true;
bantime-increment = {
enable = true;
factor = "4";
maxtime = "24h";
overalljails = true;
};
extraPackages = with pkgs; [ ipset ];
# We're going to be unforgiving with this one since we only have key
# authentication and password authentication is disabled anyways.
jails.sshd.settings = {
enabled = true;
maxretry = 1;
};
};
};
}

View File

@ -0,0 +1,20 @@
{ config, lib, pkgs, ... }:
let
cfg = config.shared-setups.server.firewall;
in
{
options.shared-setups.server.firewall.enable = lib.mkEnableOption "typical firewall setup";
config = lib.mkIf cfg.enable {
networking = {
nftables.enable = true;
firewall = {
enable = true;
allowedTCPPorts = [
22 # Secure Shells.
];
};
};
};
}

View File

@ -0,0 +1,86 @@
# The reverse proxy of choice. Logs should be rotated weekly.
{ config, lib, pkgs, ... }:
let
cfg = config.shared-setups.server.nginx;
in
{
options.shared-setups.server.nginx.enable =
lib.mkEnableOption "typical Nginx configuration for public-facing servers";
config = lib.mkIf cfg.enable (lib.mkMerge [
{
# The main server where it will tie all of the services in one neat little
# place. Take note, the virtual hosts definition are all in their respective
# modules.
services.nginx = {
enable = true;
enableReload = true;
package = pkgs.nginxMainline;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# Some more server-sided compressions.
recommendedBrotliSettings = true;
recommendedGzipSettings = true;
recommendedZstdSettings = true;
proxyCachePath.apps = {
enable = true;
keysZoneName = "apps";
};
appendConfig = ''
worker_processes auto;
'';
# We're avoiding any service to be the default server especially that it
# could be used for enter a service with unencrypted HTTP. So we're setting
# up one with an unresponsive server response.
appendHttpConfig = ''
# https://docs.nginx.com/nginx/admin-guide/content-cache/content-caching/
proxy_cache_min_uses 5;
proxy_cache_valid 200 302 10m;
proxy_cache_valid 404 1m;
proxy_no_cache $http_pragma $http_authorization;
server {
listen 80 default_server;
listen [::]:80 default_server;
return 444;
}
'';
# This is defined for other services.
upstreams."nginx" = {
extraConfig = ''
zone services 64k;
'';
servers = {
"localhost:80" = { };
};
};
};
networking.firewall.allowedTCPPorts = [
80 # HTTP servers.
443 # HTTPS servers.
];
# Generate a DH parameters for nginx-specific security configurations.
security.dhparams.params.nginx.bits = 4096;
}
(lib.mkIf config.services.fail2ban.enable {
# Some fail2ban policies to apply for nginx.
services.fail2ban.jails = {
nginx-http-auth.settings = { enabled = true; };
nginx-botsearch.settings = { enabled = true; };
nginx-bad-request.settings = { enabled = true; };
};
})
]);
}