init basic system

This commit is contained in:
notohh 2024-04-08 19:36:52 -04:00
parent ead4bd10ac
commit d1a3219ccc
Signed by: notohh
GPG key ID: BD47506D475EE86D
15 changed files with 501 additions and 0 deletions

10
modules/default.nix Normal file
View file

@ -0,0 +1,10 @@
_: {
imports = [
./nix.nix
./security.nix
# ./sops.nix
./ssh.nix
# ./tailscale.nix
./time.nix
];
}

31
modules/nix.nix Normal file
View file

@ -0,0 +1,31 @@
_: {
nh = {
enable = true;
clean = {
enable = true;
dates = "weekly";
extraArgs = "--keep-since 3d --keep 5";
};
};
nix = {
settings = {
extra-experimental-features = ["flakes" "nix-command"];
auto-optimise-store = true;
builders-use-substitutes = true;
keep-outputs = true;
allowed-users = ["@wheel"];
trusted-users = ["root" "@wheel"];
substituters = [
"https://cache.flake.sh/kyasshu"
"https://cache.nixos.org"
];
trusted-public-keys = [
"kyasshu:g1heIgCgG7M4San6nRsz/omcVQ1GTc7+zKKm3L9Co7o="
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
];
};
};
nixpkgs.config.allowUnfree = true;
}

67
modules/security.nix Normal file
View file

@ -0,0 +1,67 @@
# security tweaks borrowed from @hlissner
{
boot.kernel.sysctl = {
# The Magic SysRq key is a key combo that allows users connected to the
# system console of a Linux kernel to perform some low-level commands.
# Disable it, since we don't need it, and is a potential security concern.
"kernel.sysrq" = 0;
## TCP hardening
# Prevent bogus ICMP errors from filling up logs.
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
# Reverse path filtering causes the kernel to do source validation of
# packets received from all interfaces. This can mitigate IP spoofing.
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.conf.all.rp_filter" = 1;
# Do not accept IP source route packets (we're not a router)
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0;
# Don't send ICMP redirects (again, we're on a router)
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0;
# Refuse ICMP redirects (MITM mitigations)
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
# Protects against SYN flood attacks
"net.ipv4.tcp_syncookies" = 1;
# Incomplete protection again TIME-WAIT assassination
"net.ipv4.tcp_rfc1337" = 1;
## TCP optimization
# TCP Fast Open is a TCP extension that reduces network latency by packing
# data in the senders initial TCP SYN. Setting 3 = enable TCP Fast Open for
# both incoming and outgoing connections:
"net.ipv4.tcp_fastopen" = 3;
# Bufferbloat mitigations + slight improvement in throughput & latency
"net.ipv4.tcp_congestion_control" = "bbr";
"net.core.default_qdisc" = "cake";
};
boot.kernelModules = ["tcp_bbr"];
services = {
openssh.settings.LogLevel = "VERBOSE";
fail2ban = {
enable = true;
bantime = "1h";
maxretry = 1;
ignoreIP = [
"192.168.0.0/16"
"172.16.0.0/12"
"10.0.0.0/8"
];
jails = {
DEFAULT = {
settings = {
findtime = 100000;
mode = "aggressive";
};
};
};
};
};
}

6
modules/sops.nix Normal file
View file

@ -0,0 +1,6 @@
_: {
sops = {
defaultSopsFile = ../secrets/secrets.yaml;
age.keyFile = "";
};
}

11
modules/ssh.nix Normal file
View file

@ -0,0 +1,11 @@
{lib, ...}: {
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "yes";
KbdInteractiveAuthentication = false;
PasswordAuthentication = lib.mkForce false;
PubkeyAuthentication = lib.mkForce true;
};
};
}

41
modules/tailscale.nix Normal file
View file

@ -0,0 +1,41 @@
{
config,
lib,
pkgs,
...
}: {
# sops.secrets.tsauth = {sopsFile = ../secrets/secrets.yaml;};
environment.systemPackages = [pkgs.jq pkgs.tailscale];
services.tailscale = {
useRoutingFeatures = lib.mkDefault "client";
};
networking.firewall.allowedUDPPorts = [config.services.tailscale.port];
networking.firewall.trustedInterfaces = [config.services.tailscale.interfaceName];
systemd.services.tailscale-autoconnect = {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = ["network-pre.target" "tailscale.service"];
wants = ["network-pre.target" "tailscale.service"];
wantedBy = ["multi-user.target"];
# set this service as a oneshot job
serviceConfig.Type = "oneshot";
# have the job run this shell script
script = with pkgs; ''
# wait for tailscaled to settle
sleep 2
# check if we are already authenticated to tailscale
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
# otherwise authenticate with tailscale
${tailscale}/bin/tailscale up -authkey file:${config.sops.secrets.eventual-secret} --exit-node=100.104.42.96 --exit-node-allow-lan-access=true --accept-dns=false
'';
};
}

26
modules/time.nix Normal file
View file

@ -0,0 +1,26 @@
_: {
time.timeZone = "America/New_York";
services = {
chrony = {
enable = true;
servers = [
# 0.us.pool.ntp.org
"134.215.114.62"
"192.189.65.187"
"96.245.170.99"
"192.92.6.30"
];
};
timesyncd = {
enable = true;
servers = [
# 0.us.pool.ntp.org
"134.215.114.62"
"192.189.65.187"
"96.245.170.99"
"192.92.6.30"
];
};
};
}