init basic system
This commit is contained in:
parent
ead4bd10ac
commit
d1a3219ccc
15 changed files with 501 additions and 0 deletions
10
modules/default.nix
Normal file
10
modules/default.nix
Normal file
|
@ -0,0 +1,10 @@
|
|||
_: {
|
||||
imports = [
|
||||
./nix.nix
|
||||
./security.nix
|
||||
# ./sops.nix
|
||||
./ssh.nix
|
||||
# ./tailscale.nix
|
||||
./time.nix
|
||||
];
|
||||
}
|
31
modules/nix.nix
Normal file
31
modules/nix.nix
Normal file
|
@ -0,0 +1,31 @@
|
|||
_: {
|
||||
nh = {
|
||||
enable = true;
|
||||
clean = {
|
||||
enable = true;
|
||||
dates = "weekly";
|
||||
extraArgs = "--keep-since 3d --keep 5";
|
||||
};
|
||||
};
|
||||
|
||||
nix = {
|
||||
settings = {
|
||||
extra-experimental-features = ["flakes" "nix-command"];
|
||||
auto-optimise-store = true;
|
||||
builders-use-substitutes = true;
|
||||
keep-outputs = true;
|
||||
allowed-users = ["@wheel"];
|
||||
trusted-users = ["root" "@wheel"];
|
||||
substituters = [
|
||||
"https://cache.flake.sh/kyasshu"
|
||||
"https://cache.nixos.org"
|
||||
];
|
||||
trusted-public-keys = [
|
||||
"kyasshu:g1heIgCgG7M4San6nRsz/omcVQ1GTc7+zKKm3L9Co7o="
|
||||
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
}
|
67
modules/security.nix
Normal file
67
modules/security.nix
Normal file
|
@ -0,0 +1,67 @@
|
|||
# security tweaks borrowed from @hlissner
|
||||
{
|
||||
boot.kernel.sysctl = {
|
||||
# The Magic SysRq key is a key combo that allows users connected to the
|
||||
# system console of a Linux kernel to perform some low-level commands.
|
||||
# Disable it, since we don't need it, and is a potential security concern.
|
||||
"kernel.sysrq" = 0;
|
||||
|
||||
## TCP hardening
|
||||
# Prevent bogus ICMP errors from filling up logs.
|
||||
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
|
||||
# Reverse path filtering causes the kernel to do source validation of
|
||||
# packets received from all interfaces. This can mitigate IP spoofing.
|
||||
"net.ipv4.conf.default.rp_filter" = 1;
|
||||
"net.ipv4.conf.all.rp_filter" = 1;
|
||||
# Do not accept IP source route packets (we're not a router)
|
||||
"net.ipv4.conf.all.accept_source_route" = 0;
|
||||
"net.ipv6.conf.all.accept_source_route" = 0;
|
||||
# Don't send ICMP redirects (again, we're on a router)
|
||||
"net.ipv4.conf.all.send_redirects" = 0;
|
||||
"net.ipv4.conf.default.send_redirects" = 0;
|
||||
# Refuse ICMP redirects (MITM mitigations)
|
||||
"net.ipv4.conf.all.accept_redirects" = 0;
|
||||
"net.ipv4.conf.default.accept_redirects" = 0;
|
||||
"net.ipv4.conf.all.secure_redirects" = 0;
|
||||
"net.ipv4.conf.default.secure_redirects" = 0;
|
||||
"net.ipv6.conf.all.accept_redirects" = 0;
|
||||
"net.ipv6.conf.default.accept_redirects" = 0;
|
||||
# Protects against SYN flood attacks
|
||||
"net.ipv4.tcp_syncookies" = 1;
|
||||
# Incomplete protection again TIME-WAIT assassination
|
||||
"net.ipv4.tcp_rfc1337" = 1;
|
||||
|
||||
## TCP optimization
|
||||
# TCP Fast Open is a TCP extension that reduces network latency by packing
|
||||
# data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for
|
||||
# both incoming and outgoing connections:
|
||||
"net.ipv4.tcp_fastopen" = 3;
|
||||
# Bufferbloat mitigations + slight improvement in throughput & latency
|
||||
"net.ipv4.tcp_congestion_control" = "bbr";
|
||||
"net.core.default_qdisc" = "cake";
|
||||
};
|
||||
|
||||
boot.kernelModules = ["tcp_bbr"];
|
||||
|
||||
services = {
|
||||
openssh.settings.LogLevel = "VERBOSE";
|
||||
fail2ban = {
|
||||
enable = true;
|
||||
bantime = "1h";
|
||||
maxretry = 1;
|
||||
ignoreIP = [
|
||||
"192.168.0.0/16"
|
||||
"172.16.0.0/12"
|
||||
"10.0.0.0/8"
|
||||
];
|
||||
jails = {
|
||||
DEFAULT = {
|
||||
settings = {
|
||||
findtime = 100000;
|
||||
mode = "aggressive";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
6
modules/sops.nix
Normal file
6
modules/sops.nix
Normal file
|
@ -0,0 +1,6 @@
|
|||
_: {
|
||||
sops = {
|
||||
defaultSopsFile = ../secrets/secrets.yaml;
|
||||
age.keyFile = "";
|
||||
};
|
||||
}
|
11
modules/ssh.nix
Normal file
11
modules/ssh.nix
Normal file
|
@ -0,0 +1,11 @@
|
|||
{lib, ...}: {
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
settings = {
|
||||
PermitRootLogin = "yes";
|
||||
KbdInteractiveAuthentication = false;
|
||||
PasswordAuthentication = lib.mkForce false;
|
||||
PubkeyAuthentication = lib.mkForce true;
|
||||
};
|
||||
};
|
||||
}
|
41
modules/tailscale.nix
Normal file
41
modules/tailscale.nix
Normal file
|
@ -0,0 +1,41 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}: {
|
||||
# sops.secrets.tsauth = {sopsFile = ../secrets/secrets.yaml;};
|
||||
environment.systemPackages = [pkgs.jq pkgs.tailscale];
|
||||
services.tailscale = {
|
||||
useRoutingFeatures = lib.mkDefault "client";
|
||||
};
|
||||
networking.firewall.allowedUDPPorts = [config.services.tailscale.port];
|
||||
networking.firewall.trustedInterfaces = [config.services.tailscale.interfaceName];
|
||||
|
||||
systemd.services.tailscale-autoconnect = {
|
||||
description = "Automatic connection to Tailscale";
|
||||
|
||||
# make sure tailscale is running before trying to connect to tailscale
|
||||
after = ["network-pre.target" "tailscale.service"];
|
||||
wants = ["network-pre.target" "tailscale.service"];
|
||||
wantedBy = ["multi-user.target"];
|
||||
|
||||
# set this service as a oneshot job
|
||||
serviceConfig.Type = "oneshot";
|
||||
|
||||
# have the job run this shell script
|
||||
script = with pkgs; ''
|
||||
# wait for tailscaled to settle
|
||||
sleep 2
|
||||
|
||||
# check if we are already authenticated to tailscale
|
||||
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
|
||||
if [ $status = "Running" ]; then # if so, then do nothing
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# otherwise authenticate with tailscale
|
||||
${tailscale}/bin/tailscale up -authkey file:${config.sops.secrets.eventual-secret} --exit-node=100.104.42.96 --exit-node-allow-lan-access=true --accept-dns=false
|
||||
'';
|
||||
};
|
||||
}
|
26
modules/time.nix
Normal file
26
modules/time.nix
Normal file
|
@ -0,0 +1,26 @@
|
|||
_: {
|
||||
time.timeZone = "America/New_York";
|
||||
|
||||
services = {
|
||||
chrony = {
|
||||
enable = true;
|
||||
servers = [
|
||||
# 0.us.pool.ntp.org
|
||||
"134.215.114.62"
|
||||
"192.189.65.187"
|
||||
"96.245.170.99"
|
||||
"192.92.6.30"
|
||||
];
|
||||
};
|
||||
timesyncd = {
|
||||
enable = true;
|
||||
servers = [
|
||||
# 0.us.pool.ntp.org
|
||||
"134.215.114.62"
|
||||
"192.189.65.187"
|
||||
"96.245.170.99"
|
||||
"192.92.6.30"
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
Loading…
Add table
Add a link
Reference in a new issue