diff options
author | Azat Bahawi <azat@bahawi.net> | 2023-07-13 07:39:07 +0300 |
---|---|---|
committer | Azat Bahawi <azat@bahawi.net> | 2023-07-13 07:39:07 +0300 |
commit | 138ff2ae32facaf4f2c072115b1b0f64f05f615a (patch) | |
tree | 1853385d7b07b92c3eb84439170fc719e56cf2c4 | |
parent | 2023-07-09 (diff) |
2023-07-13
-rw-r--r-- | flake.lock | 72 | ||||
-rw-r--r-- | modules/common/openssh.nix | 6 | ||||
-rw-r--r-- | modules/nixos/fail2ban.nix | 4 | ||||
-rw-r--r-- | modules/nixos/nginx.nix | 8 | ||||
-rw-r--r-- | modules/nixos/nsd.nix | 4 | ||||
-rw-r--r-- | modules/nixos/openssh.nix | 12 | ||||
-rw-r--r-- | modules/nixos/shadowsocks.nix | 12 | ||||
-rw-r--r-- | modules/nixos/vaultwarden.nix | 54 | ||||
-rw-r--r-- | nixosConfigurations/manwe/mailserver.nix | 16 |
9 files changed, 97 insertions, 91 deletions
diff --git a/flake.lock b/flake.lock index 37617bd..602be95 100644 --- a/flake.lock +++ b/flake.lock @@ -124,11 +124,11 @@ ] }, "locked": { - "lastModified": 1688882536, - "narHash": "sha256-JXhHLy3+OxRghen7X8no1/8Ab+NkYSxrCIB9IILKUUc=", + "lastModified": 1689116343, + "narHash": "sha256-eaYfwQTSEbuB7rs5/W227SbVeDP9cbcoT1TEbnmOgOk=", "owner": "LnL7", "repo": "nix-darwin", - "rev": "4e3fc1864712a534d30ef074d695e968f1fb1487", + "rev": "eb22022ba8faeeb7a9be8afe925511b88ad12ca5", "type": "github" }, "original": { @@ -222,11 +222,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1687709756, - "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=", + "lastModified": 1689068808, + "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", "owner": "numtide", "repo": "flake-utils", - "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7", + "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", "type": "github" }, "original": { @@ -264,11 +264,11 @@ ] }, "locked": { - "lastModified": 1688875170, - "narHash": "sha256-hNYMNl07J22c0K0NhVyvF6cF8mahOCzBTNKT/OEQN14=", + "lastModified": 1689134369, + "narHash": "sha256-0G9dutIvhS/WUr3Awcnqw71g8EVVvvkOhVDnDDbY4Fw=", "owner": "nix-community", "repo": "home-manager", - "rev": "86157256d2e0d257c53eefeb008230f043e12210", + "rev": "e42fb59768f0305085abde0dd27ab5e0cc15420c", "type": "github" }, "original": { @@ -323,11 +323,11 @@ ] }, "locked": { - "lastModified": 1688868368, - "narHash": "sha256-dIAtHTXUZvqYzBxi0+SVMrE4A2+K8kD3q70fw0WnIGk=", + "lastModified": 1689126991, + "narHash": "sha256-DKySsOJNYDIp9va4aMn5RMFBwY4aTEm6X54DDK3d7h8=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "d612610255db2376426a97402051d141aac044ee", + "rev": "716d9925ee8690b957a6b8f00a6f5ebc3d571105", "type": "github" }, "original": { @@ -350,11 +350,11 @@ ] }, "locked": { - "lastModified": 1688867279, - "narHash": "sha256-r7QYU+m9RJN/CUGgBy9mDgtoYIk39sKVoLnP1MrC6js=", + "lastModified": 1689127063, + "narHash": "sha256-GlKfeLEmlllLNVSkWM7nDdcFdS9vRJejf1gzUQpeEDc=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "9e67835766a04a232f12980927f4a20e325b3d2d", + "rev": "d7275aeeb705a5a31e24f048657792d521db4225", "type": "github" }, "original": { @@ -366,11 +366,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1688798314, - "narHash": "sha256-MFG5rx7L756rtrPHsL662m64AZ4sKqUcApaiYgSKfNM=", + "lastModified": 1689060619, + "narHash": "sha256-vODUkZLWFVCvo1KPK3dC2CbXjxa9antEn5ozwlcTr48=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "47dca15d86fdd2eabcf434d7cc0b5baa8d1a463c", + "rev": "44bc025007e5fcc10dbc3d9f96dcbf06fc0e8c1c", "type": "github" }, "original": { @@ -382,11 +382,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1688829822, - "narHash": "sha256-hv56yK1fPHPt7SU2DboxBtdSbIuv9nym7Dss7Cn2jic=", + "lastModified": 1689078114, + "narHash": "sha256-osG8BrX5RpKJ7wH+vI6auOU+ctvNOblT4XXCgknK47c=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ed6afb10dfdfc97b6bcf0703f1bad8118e9e961b", + "rev": "b6cc7ff8fee93789bc871a267ab876c3fca042cb", "type": "github" }, "original": { @@ -398,11 +398,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1688891216, - "narHash": "sha256-ZUQs8C5N6aw/QeBhUFGcX89OoYoP9jbdmbR6aSbvaHg=", + "lastModified": 1689150988, + "narHash": "sha256-Ue5BvtYYszqzX4ONWjgj6pnazCbOzdRBfLIx8l1Wa1w=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e4a12fdac2a313b18e7f66a097108412b07c5f00", + "rev": "bec27fabee7ff51a4788840479b1730ed1b64427", "type": "github" }, "original": { @@ -414,11 +414,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1688868408, - "narHash": "sha256-RR9N5XTAxSBhK8MCvLq9uxfdkd7etC//seVXldy0k48=", + "lastModified": 1689148961, + "narHash": "sha256-CuJAQSeYmTS+6ZzOxvYnzDlv75WdtNgTwskS/4SbHrI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "510d721ce097150ae3b80f84b04b13b039186571", + "rev": "c40b900d12dd5523245317a8d4fef4a133ea68cb", "type": "github" }, "original": { @@ -448,11 +448,11 @@ "nmap-vulscan": { "flake": false, "locked": { - "lastModified": 1683781674, - "narHash": "sha256-X9z1TPFHaDEnjhn3MAgVsYx0SqXpK1U0mkmKN7aGXKk=", + "lastModified": 1689005517, + "narHash": "sha256-4PKuUDRsX0SqANftOFfwCeJTb92rOpoAWG+fBL1faBA=", "owner": "scipag", "repo": "vulscan", - "rev": "7d62b8a4b111ffe258e45d9d994329996efe0a81", + "rev": "b1f9a925ca0bb768c01c2b355150e88c1b130bca", "type": "github" }, "original": { @@ -464,11 +464,11 @@ }, "nur": { "locked": { - "lastModified": 1688881344, - "narHash": "sha256-q2okqZ5BzM1AJMS2OeNt6KEGA2ZsCVXo7GQNXhg9UHE=", + "lastModified": 1689151250, + "narHash": "sha256-9MCb8HVx48LTJUu3XvQPVodS+f9VjmGnUqhSPbwBat8=", "owner": "nix-community", "repo": "NUR", - "rev": "1fd9c989dedb03d424a13b315c65f78abcb5503d", + "rev": "3187484684e41a55227f9a886bfb6239d76fe5df", "type": "github" }, "original": { @@ -592,11 +592,11 @@ ] }, "locked": { - "lastModified": 1688586836, - "narHash": "sha256-5uLYGa+8lysS1X5ehdU3ewmrMIG8p9+qS7yJ0LyhMHs=", + "lastModified": 1689103880, + "narHash": "sha256-vHRCkcpnBbFsPqUNXliUmdPU81jqyuL9ZPzj3vJx2RE=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "d460e9ff62ea1238fb3348a87326b743ae177902", + "rev": "69a4b7ad67d2732ba1f86666b3d4d2d83b15200e", "type": "gitlab" }, "original": { diff --git a/modules/common/openssh.nix b/modules/common/openssh.nix index 4b80809..ecaf4de 100644 --- a/modules/common/openssh.nix +++ b/modules/common/openssh.nix @@ -12,7 +12,11 @@ in { config = mkIf cfg.client.enable { hm = { - home.packages = with pkgs; [mosh sshfs]; + home.packages = with pkgs; [ + mosh + sshfs + sshpass + ]; programs.ssh = { enable = true; diff --git a/modules/nixos/fail2ban.nix b/modules/nixos/fail2ban.nix index a42aab3..ce35c1f 100644 --- a/modules/nixos/fail2ban.nix +++ b/modules/nixos/fail2ban.nix @@ -26,9 +26,7 @@ in { optionals (hasAttr "wireguard" this) (with config.nixfiles.modules.wireguard; [ipv4.subnet ipv6.subnet]); - jails.DEFAULT = '' - blocktype = DROP - ''; + jails.DEFAULT.settings.blocktype = "DROP"; }; }; } diff --git a/modules/nixos/nginx.nix b/modules/nixos/nginx.nix index b8ab24d..411bb0d 100644 --- a/modules/nixos/nginx.nix +++ b/modules/nixos/nginx.nix @@ -79,12 +79,8 @@ in { }; fail2ban.jails = { - nginx-http-auth = '' - enabled = true - ''; - nginx-botsearch = '' - enabled = true - ''; + nginx-http-auth.enabled = true; + nginx-botsearch.enabled = true; }; prometheus.exporters.nginx = { diff --git a/modules/nixos/nsd.nix b/modules/nixos/nsd.nix index f8d9e4b..0060a14 100644 --- a/modules/nixos/nsd.nix +++ b/modules/nixos/nsd.nix @@ -201,9 +201,7 @@ in { ]; }; - fail2ban.jails.nsd = '' - enabled = true - ''; + fail2ban.jails.nsd.enabled = true; }; networking.firewall = rec { diff --git a/modules/nixos/openssh.nix b/modules/nixos/openssh.nix index 22e4b51..4324e45 100644 --- a/modules/nixos/openssh.nix +++ b/modules/nixos/openssh.nix @@ -44,11 +44,13 @@ in { }; }; - fail2ban.jails.sshd = '' - enabled = true - mode = aggressive - port = ${toString cfg.server.port} - ''; + fail2ban.jails.sshd = { + enabled = true; + settings = { + mode = "aggressive"; + inherit (cfg.server) port; + }; + }; }; }; } diff --git a/modules/nixos/shadowsocks.nix b/modules/nixos/shadowsocks.nix index f9997ba..7307933 100644 --- a/modules/nixos/shadowsocks.nix +++ b/modules/nixos/shadowsocks.nix @@ -29,11 +29,13 @@ in { mode = "tcp_only"; }; - fail2ban.jails.shadowsocks-libev = '' - enabled = true - filter = shadowsocks-libev - port = ${toString cfg.port} - ''; + fail2ban.jails.shadowsocks-libev = { + enabled = true; + settings = { + filter = "shadowsocks-libev"; + inherit (cfg) port; + }; + }; }; systemd.services.shadowsocks-libev.path = with pkgs; diff --git a/modules/nixos/vaultwarden.nix b/modules/nixos/vaultwarden.nix index 2475ed3..2aaecf2 100644 --- a/modules/nixos/vaultwarden.nix +++ b/modules/nixos/vaultwarden.nix @@ -104,33 +104,39 @@ in { ]; }; - fail2ban.jails = mkIf config.nixfiles.modules.fail2ban.enable { - vaultwarden = '' - enabled = true - filter = vaultwarden - port = http,https - ''; - vaultwarden-admin = '' - enabled = true - filter = vaultwarden-admin - port = http,https - ''; + fail2ban.jails = { + vaultwarden = { + enabled = true; + settings = { + filter = "vaultwarden"; + port = "http,https"; + }; + }; + vaultwarden-admin = { + enabled = true; + settings = { + filter = "vaultwarden-admin"; + port = "http,https"; + }; + }; }; }; - environment.etc = mkIf config.nixfiles.modules.fail2ban.enable { - "fail2ban/filter.d/vaultwarden.conf".text = '' - [Definition] - failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$ - ignoreregex = - journalmatch = _SYSTEMD_UNIT=vaultwarden.service - ''; - "fail2ban/filter.d/vaultwarden-admin.conf".text = '' - [Definition] - failregex = ^.*Invalid admin token\. IP: <ADDR>.*$ - ignoreregex = - journalmatch = _SYSTEMD_UNIT=vaultwarden.service - ''; + environment.etc = { + "fail2ban/filter.d/vaultwarden.conf".text = generators.toINI {} { + Definition = { + failregex = "^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$"; + ignoreregex = ""; + journalmatch = "_SYSTEMD_UNIT=vaultwarden.service"; + }; + }; + "fail2ban/filter.d/vaultwarden-admin.conf".text = generators.toINI {} { + Definition = { + failregex = "^.*Invalid admin token\. IP: <ADDR>.*$"; + ignoreregex = ""; + journalmatch = "_SYSTEMD_UNIT=vaultwarden.service"; + }; + }; }; }; } diff --git a/nixosConfigurations/manwe/mailserver.nix b/nixosConfigurations/manwe/mailserver.nix index e87e34b..389a9a0 100644 --- a/nixosConfigurations/manwe/mailserver.nix +++ b/nixosConfigurations/manwe/mailserver.nix @@ -100,13 +100,13 @@ with lib; { }; services.fail2ban.jails = { - dovecot = '' - enabled = true - mode = aggressive - ''; - postfix = '' - enabled = true - mode = aggressive - ''; + dovecot = { + enabled = true; + settings.mode = "aggressive"; + }; + postfix = { + enabled = true; + settings.mode = "aggressive"; + }; }; } |