about summary refs log tree commit diff
diff options
context:
space:
mode:
authorAzat Bahawi <azat@bahawi.net>2023-07-13 07:39:07 +0300
committerAzat Bahawi <azat@bahawi.net>2023-07-13 07:39:07 +0300
commit138ff2ae32facaf4f2c072115b1b0f64f05f615a (patch)
tree1853385d7b07b92c3eb84439170fc719e56cf2c4
parent2023-07-09 (diff)
2023-07-13
-rw-r--r--flake.lock72
-rw-r--r--modules/common/openssh.nix6
-rw-r--r--modules/nixos/fail2ban.nix4
-rw-r--r--modules/nixos/nginx.nix8
-rw-r--r--modules/nixos/nsd.nix4
-rw-r--r--modules/nixos/openssh.nix12
-rw-r--r--modules/nixos/shadowsocks.nix12
-rw-r--r--modules/nixos/vaultwarden.nix54
-rw-r--r--nixosConfigurations/manwe/mailserver.nix16
9 files changed, 97 insertions, 91 deletions
diff --git a/flake.lock b/flake.lock
index 37617bd..602be95 100644
--- a/flake.lock
+++ b/flake.lock
@@ -124,11 +124,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1688882536,
-        "narHash": "sha256-JXhHLy3+OxRghen7X8no1/8Ab+NkYSxrCIB9IILKUUc=",
+        "lastModified": 1689116343,
+        "narHash": "sha256-eaYfwQTSEbuB7rs5/W227SbVeDP9cbcoT1TEbnmOgOk=",
         "owner": "LnL7",
         "repo": "nix-darwin",
-        "rev": "4e3fc1864712a534d30ef074d695e968f1fb1487",
+        "rev": "eb22022ba8faeeb7a9be8afe925511b88ad12ca5",
         "type": "github"
       },
       "original": {
@@ -222,11 +222,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1687709756,
-        "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=",
+        "lastModified": 1689068808,
+        "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7",
+        "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
         "type": "github"
       },
       "original": {
@@ -264,11 +264,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1688875170,
-        "narHash": "sha256-hNYMNl07J22c0K0NhVyvF6cF8mahOCzBTNKT/OEQN14=",
+        "lastModified": 1689134369,
+        "narHash": "sha256-0G9dutIvhS/WUr3Awcnqw71g8EVVvvkOhVDnDDbY4Fw=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "86157256d2e0d257c53eefeb008230f043e12210",
+        "rev": "e42fb59768f0305085abde0dd27ab5e0cc15420c",
         "type": "github"
       },
       "original": {
@@ -323,11 +323,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1688868368,
-        "narHash": "sha256-dIAtHTXUZvqYzBxi0+SVMrE4A2+K8kD3q70fw0WnIGk=",
+        "lastModified": 1689126991,
+        "narHash": "sha256-DKySsOJNYDIp9va4aMn5RMFBwY4aTEm6X54DDK3d7h8=",
         "owner": "Infinidoge",
         "repo": "nix-minecraft",
-        "rev": "d612610255db2376426a97402051d141aac044ee",
+        "rev": "716d9925ee8690b957a6b8f00a6f5ebc3d571105",
         "type": "github"
       },
       "original": {
@@ -350,11 +350,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1688867279,
-        "narHash": "sha256-r7QYU+m9RJN/CUGgBy9mDgtoYIk39sKVoLnP1MrC6js=",
+        "lastModified": 1689127063,
+        "narHash": "sha256-GlKfeLEmlllLNVSkWM7nDdcFdS9vRJejf1gzUQpeEDc=",
         "owner": "nix-community",
         "repo": "nix-vscode-extensions",
-        "rev": "9e67835766a04a232f12980927f4a20e325b3d2d",
+        "rev": "d7275aeeb705a5a31e24f048657792d521db4225",
         "type": "github"
       },
       "original": {
@@ -366,11 +366,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1688798314,
-        "narHash": "sha256-MFG5rx7L756rtrPHsL662m64AZ4sKqUcApaiYgSKfNM=",
+        "lastModified": 1689060619,
+        "narHash": "sha256-vODUkZLWFVCvo1KPK3dC2CbXjxa9antEn5ozwlcTr48=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "47dca15d86fdd2eabcf434d7cc0b5baa8d1a463c",
+        "rev": "44bc025007e5fcc10dbc3d9f96dcbf06fc0e8c1c",
         "type": "github"
       },
       "original": {
@@ -382,11 +382,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1688829822,
-        "narHash": "sha256-hv56yK1fPHPt7SU2DboxBtdSbIuv9nym7Dss7Cn2jic=",
+        "lastModified": 1689078114,
+        "narHash": "sha256-osG8BrX5RpKJ7wH+vI6auOU+ctvNOblT4XXCgknK47c=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ed6afb10dfdfc97b6bcf0703f1bad8118e9e961b",
+        "rev": "b6cc7ff8fee93789bc871a267ab876c3fca042cb",
         "type": "github"
       },
       "original": {
@@ -398,11 +398,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1688891216,
-        "narHash": "sha256-ZUQs8C5N6aw/QeBhUFGcX89OoYoP9jbdmbR6aSbvaHg=",
+        "lastModified": 1689150988,
+        "narHash": "sha256-Ue5BvtYYszqzX4ONWjgj6pnazCbOzdRBfLIx8l1Wa1w=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e4a12fdac2a313b18e7f66a097108412b07c5f00",
+        "rev": "bec27fabee7ff51a4788840479b1730ed1b64427",
         "type": "github"
       },
       "original": {
@@ -414,11 +414,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1688868408,
-        "narHash": "sha256-RR9N5XTAxSBhK8MCvLq9uxfdkd7etC//seVXldy0k48=",
+        "lastModified": 1689148961,
+        "narHash": "sha256-CuJAQSeYmTS+6ZzOxvYnzDlv75WdtNgTwskS/4SbHrI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "510d721ce097150ae3b80f84b04b13b039186571",
+        "rev": "c40b900d12dd5523245317a8d4fef4a133ea68cb",
         "type": "github"
       },
       "original": {
@@ -448,11 +448,11 @@
     "nmap-vulscan": {
       "flake": false,
       "locked": {
-        "lastModified": 1683781674,
-        "narHash": "sha256-X9z1TPFHaDEnjhn3MAgVsYx0SqXpK1U0mkmKN7aGXKk=",
+        "lastModified": 1689005517,
+        "narHash": "sha256-4PKuUDRsX0SqANftOFfwCeJTb92rOpoAWG+fBL1faBA=",
         "owner": "scipag",
         "repo": "vulscan",
-        "rev": "7d62b8a4b111ffe258e45d9d994329996efe0a81",
+        "rev": "b1f9a925ca0bb768c01c2b355150e88c1b130bca",
         "type": "github"
       },
       "original": {
@@ -464,11 +464,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1688881344,
-        "narHash": "sha256-q2okqZ5BzM1AJMS2OeNt6KEGA2ZsCVXo7GQNXhg9UHE=",
+        "lastModified": 1689151250,
+        "narHash": "sha256-9MCb8HVx48LTJUu3XvQPVodS+f9VjmGnUqhSPbwBat8=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "1fd9c989dedb03d424a13b315c65f78abcb5503d",
+        "rev": "3187484684e41a55227f9a886bfb6239d76fe5df",
         "type": "github"
       },
       "original": {
@@ -592,11 +592,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1688586836,
-        "narHash": "sha256-5uLYGa+8lysS1X5ehdU3ewmrMIG8p9+qS7yJ0LyhMHs=",
+        "lastModified": 1689103880,
+        "narHash": "sha256-vHRCkcpnBbFsPqUNXliUmdPU81jqyuL9ZPzj3vJx2RE=",
         "owner": "simple-nixos-mailserver",
         "repo": "nixos-mailserver",
-        "rev": "d460e9ff62ea1238fb3348a87326b743ae177902",
+        "rev": "69a4b7ad67d2732ba1f86666b3d4d2d83b15200e",
         "type": "gitlab"
       },
       "original": {
diff --git a/modules/common/openssh.nix b/modules/common/openssh.nix
index 4b80809..ecaf4de 100644
--- a/modules/common/openssh.nix
+++ b/modules/common/openssh.nix
@@ -12,7 +12,11 @@ in {
 
   config = mkIf cfg.client.enable {
     hm = {
-      home.packages = with pkgs; [mosh sshfs];
+      home.packages = with pkgs; [
+        mosh
+        sshfs
+        sshpass
+      ];
 
       programs.ssh = {
         enable = true;
diff --git a/modules/nixos/fail2ban.nix b/modules/nixos/fail2ban.nix
index a42aab3..ce35c1f 100644
--- a/modules/nixos/fail2ban.nix
+++ b/modules/nixos/fail2ban.nix
@@ -26,9 +26,7 @@ in {
         optionals (hasAttr "wireguard" this)
         (with config.nixfiles.modules.wireguard; [ipv4.subnet ipv6.subnet]);
 
-      jails.DEFAULT = ''
-        blocktype = DROP
-      '';
+      jails.DEFAULT.settings.blocktype = "DROP";
     };
   };
 }
diff --git a/modules/nixos/nginx.nix b/modules/nixos/nginx.nix
index b8ab24d..411bb0d 100644
--- a/modules/nixos/nginx.nix
+++ b/modules/nixos/nginx.nix
@@ -79,12 +79,8 @@ in {
       };
 
       fail2ban.jails = {
-        nginx-http-auth = ''
-          enabled = true
-        '';
-        nginx-botsearch = ''
-          enabled = true
-        '';
+        nginx-http-auth.enabled = true;
+        nginx-botsearch.enabled = true;
       };
 
       prometheus.exporters.nginx = {
diff --git a/modules/nixos/nsd.nix b/modules/nixos/nsd.nix
index f8d9e4b..0060a14 100644
--- a/modules/nixos/nsd.nix
+++ b/modules/nixos/nsd.nix
@@ -201,9 +201,7 @@ in {
             ];
       };
 
-      fail2ban.jails.nsd = ''
-        enabled = true
-      '';
+      fail2ban.jails.nsd.enabled = true;
     };
 
     networking.firewall = rec {
diff --git a/modules/nixos/openssh.nix b/modules/nixos/openssh.nix
index 22e4b51..4324e45 100644
--- a/modules/nixos/openssh.nix
+++ b/modules/nixos/openssh.nix
@@ -44,11 +44,13 @@ in {
         };
       };
 
-      fail2ban.jails.sshd = ''
-        enabled = true
-        mode = aggressive
-        port = ${toString cfg.server.port}
-      '';
+      fail2ban.jails.sshd = {
+        enabled = true;
+        settings = {
+          mode = "aggressive";
+          inherit (cfg.server) port;
+        };
+      };
     };
   };
 }
diff --git a/modules/nixos/shadowsocks.nix b/modules/nixos/shadowsocks.nix
index f9997ba..7307933 100644
--- a/modules/nixos/shadowsocks.nix
+++ b/modules/nixos/shadowsocks.nix
@@ -29,11 +29,13 @@ in {
         mode = "tcp_only";
       };
 
-      fail2ban.jails.shadowsocks-libev = ''
-        enabled = true
-        filter = shadowsocks-libev
-        port = ${toString cfg.port}
-      '';
+      fail2ban.jails.shadowsocks-libev = {
+        enabled = true;
+        settings = {
+          filter = "shadowsocks-libev";
+          inherit (cfg) port;
+        };
+      };
     };
 
     systemd.services.shadowsocks-libev.path = with pkgs;
diff --git a/modules/nixos/vaultwarden.nix b/modules/nixos/vaultwarden.nix
index 2475ed3..2aaecf2 100644
--- a/modules/nixos/vaultwarden.nix
+++ b/modules/nixos/vaultwarden.nix
@@ -104,33 +104,39 @@ in {
           ];
         };
 
-        fail2ban.jails = mkIf config.nixfiles.modules.fail2ban.enable {
-          vaultwarden = ''
-            enabled = true
-            filter = vaultwarden
-            port = http,https
-          '';
-          vaultwarden-admin = ''
-            enabled = true
-            filter = vaultwarden-admin
-            port = http,https
-          '';
+        fail2ban.jails = {
+          vaultwarden = {
+            enabled = true;
+            settings = {
+              filter = "vaultwarden";
+              port = "http,https";
+            };
+          };
+          vaultwarden-admin = {
+            enabled = true;
+            settings = {
+              filter = "vaultwarden-admin";
+              port = "http,https";
+            };
+          };
         };
       };
 
-      environment.etc = mkIf config.nixfiles.modules.fail2ban.enable {
-        "fail2ban/filter.d/vaultwarden.conf".text = ''
-          [Definition]
-          failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
-          ignoreregex =
-          journalmatch = _SYSTEMD_UNIT=vaultwarden.service
-        '';
-        "fail2ban/filter.d/vaultwarden-admin.conf".text = ''
-          [Definition]
-          failregex = ^.*Invalid admin token\. IP: <ADDR>.*$
-          ignoreregex =
-          journalmatch = _SYSTEMD_UNIT=vaultwarden.service
-        '';
+      environment.etc = {
+        "fail2ban/filter.d/vaultwarden.conf".text = generators.toINI {} {
+          Definition = {
+            failregex = "^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$";
+            ignoreregex = "";
+            journalmatch = "_SYSTEMD_UNIT=vaultwarden.service";
+          };
+        };
+        "fail2ban/filter.d/vaultwarden-admin.conf".text = generators.toINI {} {
+          Definition = {
+            failregex = "^.*Invalid admin token\. IP: <ADDR>.*$";
+            ignoreregex = "";
+            journalmatch = "_SYSTEMD_UNIT=vaultwarden.service";
+          };
+        };
       };
     };
 }
diff --git a/nixosConfigurations/manwe/mailserver.nix b/nixosConfigurations/manwe/mailserver.nix
index e87e34b..389a9a0 100644
--- a/nixosConfigurations/manwe/mailserver.nix
+++ b/nixosConfigurations/manwe/mailserver.nix
@@ -100,13 +100,13 @@ with lib; {
   };
 
   services.fail2ban.jails = {
-    dovecot = ''
-      enabled = true
-      mode = aggressive
-    '';
-    postfix = ''
-      enabled = true
-      mode = aggressive
-    '';
+    dovecot = {
+      enabled = true;
+      settings.mode = "aggressive";
+    };
+    postfix = {
+      enabled = true;
+      settings.mode = "aggressive";
+    };
   };
 }

Consider giving Nix/NixOS a try! <3