diff --git a/hosts/athame/nixos/default.nix b/hosts/athame/nixos/default.nix index 5b61907b..e1320095 100644 --- a/hosts/athame/nixos/default.nix +++ b/hosts/athame/nixos/default.nix @@ -29,13 +29,6 @@ deploy.target = "infra"; - security.acme.certs."athame.net.kittywit.ch" = { - domain = "athame.net.kittywit.ch"; - dnsProvider = "rfc2136"; - credentialsFile = config.secrets.files.dns_creds.path; - group = "nginx"; - }; - networking = { hostName = "athame"; domain = "kittywit.ch"; @@ -54,39 +47,8 @@ interface = "enp1s0"; }; - networking.firewall.interfaces.hexnet.allowedTCPPorts = [ - 80 # http - 443 # https - ]; - - networking.firewall.interfaces.enp1s0.allowedTCPPorts = [ - 80 # http - 443 # https - 5160 # asterisk - 5060 # asterisk - 8999 # syncplay - 64738 # murmur - 1935 # rtmp - 53589 # taskwarrior - 5001 # znc - 62969 # yggdrasil - ]; - - networking.firewall.interfaces.enp1s0.allowedUDPPorts = [ - 5160 # asterisk - 5060 # asterisk - 64738 # murmur - ]; - - networking.firewall.interfaces.enp1s0.allowedTCPPortRanges = [{ - from = 10000; - to = 20000; - }]; # asterisk - - networking.firewall.interfaces.enp1s0.allowedUDPPortRanges = [{ - from = 10000; - to = 20000; - }]; # asterisk + katnet.public.interfaces = singleton "enp1s0"; + katnet.private.interfaces = singleton "hexnet"; deploy.tf.dns.records.kittywitch_athame_v6 = { tld = "kittywit.ch."; diff --git a/hosts/athame/nixos/fail2ban.nix b/hosts/athame/nixos/fail2ban.nix deleted file mode 100644 index f7f44c7c..00000000 --- a/hosts/athame/nixos/fail2ban.nix +++ /dev/null @@ -1,84 +0,0 @@ -{ config, pkgs, ... }: - -{ - services.fail2ban = { - enable = true; - jails = { - DEFAULT = '' - bantime = 1d - blocktype = DROP - logpath = /var/log/auth.log - ''; - asterisk = '' - enabled = true - filter = asterisk - action = iptables-allports[name=ASTERISK, protocol=all] - logpath = /var/log/asterisk/messages - maxretry = 4 - ''; - ssh = '' - enabled = true - filter = sshd - maxretry = 4 - action = iptables[name=SSH, port=ssh, protocol=tcp] - ''; - sshd-ddos = '' - enabled = true - filter = sshd-ddos - maxretry = 4 - action = iptables[name=ssh, port=ssh, protocol=tcp] - ''; - postfix = '' - enabled = true - filter = postfix - maxretry = 3 - action = iptables[name=postfix, port=smtp, protocol=tcp] - ''; - postfix-sasl = '' - enabled = true - filter = postfix-sasl - port = postfix,imap3,imaps,pop3,pop3s - maxretry = 3 - action = iptables[name=postfix, port=smtp, protocol=tcp] - ''; - postfix-ddos = '' - enabled = true - filter = postfix-ddos - maxretry = 3 - action = iptables[name=postfix, port=submission, protocol=tcp] - bantime = 7200 - ''; - }; - }; - - environment.etc."fail2ban/filter.d/postfix-sasl.conf" = { - enable = true; - text = '' - # Fail2Ban filter for postfix authentication failures - [INCLUDES] - before = common.conf - [Definition] - daemon = postfix/smtpd - failregex = ^%(__prefix_line)swarning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$ - ''; - }; - - environment.etc."fail2ban/filter.d/postfix-ddos.conf" = { - enable = true; - text = '' - [Definition] - failregex = lost connection after EHLO from \S+\[\] - ''; - }; - - environment.etc."fail2ban/filter.d/sshd-ddos.conf" = { - enable = true; - text = '' - [Definition] - failregex = sshd(?:\[\d+\])?: Did not receive identification string from $ - ignoreregex = - ''; - }; - - systemd.services.fail2ban.serviceConfig.LimitSTACK = 128 * 1024; -} diff --git a/hosts/samhain/nixos/default.nix b/hosts/samhain/nixos/default.nix index 738a7f56..d5cfb6df 100644 --- a/hosts/samhain/nixos/default.nix +++ b/hosts/samhain/nixos/default.nix @@ -93,48 +93,6 @@ in { networking.interfaces.enp34s0.useDHCP = true; networking.firewall.allowPing = true; - services.nginx.appendConfig = '' - rtmp { - server { - listen [::]:1935 ipv6only=off; - application kattv { - live on; - - allow publish all; - allow play all; - } - } - } - ''; - - networking.firewall.interfaces.enp34s0.allowedTCPPorts = [ - 80 # http - 443 # https - ]; - - networking.firewall.interfaces.hexnet.allowedTCPPorts = [ - 80 # http - 443 # https - 32101 # mpv - 443 # https - 111 # nfs - 2049 # nfs - 1935 # rtmp - ]; - - networking.firewall.interfaces.enp34s0.allowedUDPPorts = [ - 4010 # scream - 111 # nfs - 2049 # nfs - ]; - - networking.firewall.interfaces.hexnet.allowedUDPPorts = [ ]; - - networking.firewall.allowedUDPPortRanges = [{ - from = 32768; - to = 60999; - }]; # dnla - services.avahi.enable = true; hexchen.network = { diff --git a/hosts/samhain/nixos/vm/default.nix b/hosts/samhain/nixos/vm/default.nix index 0432cb5b..1387d1f9 100644 --- a/hosts/samhain/nixos/vm/default.nix +++ b/hosts/samhain/nixos/vm/default.nix @@ -105,6 +105,8 @@ }; */ + katnet.public.tcp.ports = [ 4010 ]; + home-manager.users.kat = { # audio for vm on startup systemd.user.services = { diff --git a/modules/nixos/katnet/default.nix b/modules/nixos/katnet/default.nix index 22745a6d..b149d507 100644 --- a/modules/nixos/katnet/default.nix +++ b/modules/nixos/katnet/default.nix @@ -2,12 +2,88 @@ with lib; -{ - config = mkIf config.hexchen.network.enable { - deploy.tf.dns.records."kittywitch_net_${config.networking.hostName}" = { - tld = "kittywit.ch."; - domain = "${config.networking.hostName}.net"; - aaaa.address = config.hexchen.network.address; +let cfg = config.katnet; +in { + options.katnet = { + public.tcp.ports = mkOption { + type = types.listOf types.port; + default = [ ]; + }; + public.udp.ports = mkOption { + type = types.listOf types.port; + default = [ ]; + }; + private.tcp.ports = mkOption { + type = types.listOf types.port; + default = [ ]; + }; + private.udp.ports = mkOption { + type = types.listOf types.port; + default = [ ]; + }; + + public.tcp.ranges = mkOption { + type = types.listOf (types.attrsOf types.port); + default = [ ]; + }; + public.udp.ranges = mkOption { + type = types.listOf (types.attrsOf types.port); + default = [ ]; + }; + private.tcp.ranges = mkOption { + type = types.listOf (types.attrsOf types.port); + default = [ ]; + }; + private.udp.ranges = mkOption { + type = types.listOf (types.attrsOf types.port); + default = [ ]; + }; + + public.interfaces = mkOption { + type = types.listOf types.str; + description = "Public firewall interfaces"; + default = [ ]; + }; + private.interfaces = mkOption { + type = types.listOf types.str; + description = "Private firewall interfaces"; + default = [ ]; }; }; + + config = { + networking.firewall.interfaces = let + fwTypes = { + ports = "Ports"; + ranges = "PortRanges"; + }; + + interfaceDef = visibility: + listToAttrs (flatten (mapAttrsToList (type: typeString: + map (proto: { + name = "allowed${toUpper proto}${typeString}"; + value = cfg.${visibility}.${proto}.${type}; + }) [ "tcp" "udp" ]) fwTypes)); + + interfaces = visibility: + listToAttrs + (map (interface: nameValuePair interface (interfaceDef visibility)) + cfg.${visibility}.interfaces); + in mkMerge (map (visibility: interfaces visibility) [ "public" "private" ]); + + deploy.tf.dns.records."kittywitch_net_${config.networking.hostName}" = + mkIf config.hexchen.network.enable { + tld = "kittywit.ch."; + domain = "${config.networking.hostName}.net"; + aaaa.address = config.hexchen.network.address; + }; + + security.acme.certs."${config.networking.hostName}.net.kittywit.ch" = + mkIf (config.services.nginx.enable && config.hexchen.network.enable) { + domain = "${config.networking.hostName}.net.kittywit.ch"; + dnsProvider = "rfc2136"; + credentialsFile = config.secrets.files.dns_creds.path; + group = "nginx"; + }; + }; } diff --git a/services/asterisk.nix b/services/asterisk.nix index 638b65ff..7dd0d8d6 100644 --- a/services/asterisk.nix +++ b/services/asterisk.nix @@ -1,6 +1,29 @@ { config, pkgs, witch, ... }: { + katnet.public.tcp.ports = [ 5160 5060 ]; + katnet.public.udp.ports = [ 5160 5060 ]; + + katnet.public.tcp.ranges = [{ + from = 10000; + to = 20000; + }]; + + katnet.public.udp.ranges = [{ + from = 10000; + to = 20000; + }]; + + services.fail2ban.jails = { + asterisk = '' + enabled = true + filter = asterisk + action = iptables-allports[name=ASTERISK, protocol=all] + logpath = /var/log/asterisk/messages + maxretry = 4 + ''; + }; + services.asterisk = { enable = true; confFiles = { diff --git a/services/mail.nix b/services/mail.nix index 3df61ec9..81d63828 100644 --- a/services/mail.nix +++ b/services/mail.nix @@ -5,6 +5,49 @@ with lib; { imports = [ sources.nixos-mailserver.outPath ]; + services.fail2ban.jails = { + postfix = '' + enabled = true + filter = postfix + maxretry = 3 + action = iptables[name=postfix, port=smtp, protocol=tcp] + ''; + postfix-sasl = '' + enabled = true + filter = postfix-sasl + port = postfix,imap3,imaps,pop3,pop3s + maxretry = 3 + action = iptables[name=postfix, port=smtp, protocol=tcp] + ''; + postfix-ddos = '' + enabled = true + filter = postfix-ddos + maxretry = 3 + action = iptables[name=postfix, port=submission, protocol=tcp] + bantime = 7200 + ''; + }; + + environment.etc."fail2ban/filter.d/postfix-sasl.conf" = { + enable = true; + text = '' + # Fail2Ban filter for postfix authentication failures + [INCLUDES] + before = common.conf + [Definition] + daemon = postfix/smtpd + failregex = ^%(__prefix_line)swarning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$ + ''; + }; + + environment.etc."fail2ban/filter.d/postfix-ddos.conf" = { + enable = true; + text = '' + [Definition] + failregex = lost connection after EHLO from \S+\[\] + ''; + }; + deploy.tf.variables.domainkey_kitty = { type = "string"; value.shellCommand = "bitw get infra/domainkey-kitty"; diff --git a/services/murmur.nix b/services/murmur.nix index a0afbc88..a88e528e 100644 --- a/services/murmur.nix +++ b/services/murmur.nix @@ -1,11 +1,14 @@ -{ config, pkgs, ... }: +{ config, lib, pkgs, ... }: + +with lib; { + katnet.public.tcp.ports = singleton 64738; + katnet.public.udp.ports = singleton 64738; + services.murmur = { enable = true; - hostName = "voice.kittywit.ch"; - extraConfig = '' sslCert=/var/lib/acme/voice.kittywit.ch/fullchain.pem sslKey=/var/lib/acme/voice.kittywit.ch/key.pem diff --git a/services/nginx.nix b/services/nginx.nix index 1cd61c9c..137d578a 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -1,4 +1,6 @@ -{ config, pkgs, witch, tf, ... }: +{ config, lib, pkgs, witch, tf, ... }: + +with lib; { secrets.files.dns_creds = { @@ -10,6 +12,9 @@ ''; }; + katnet.public.tcp.ports = [ 443 80 ]; + katnet.private.tcp.ports = [ 443 80 ]; + services.nginx = { enable = true; recommendedGzipSettings = true; diff --git a/services/syncplay.nix b/services/syncplay.nix index 1880eb0b..f57596e0 100644 --- a/services/syncplay.nix +++ b/services/syncplay.nix @@ -1,4 +1,6 @@ -{ config, pkgs, witch, ... }: +{ config, lib, pkgs, witch, ... }: + +with lib; { users.users.syncplay = { isSystemUser = true; }; @@ -6,6 +8,8 @@ users.groups."sync-cert".members = [ "nginx" "syncplay" ]; security.acme = { certs."sync.kittywit.ch" = { group = "sync-cert"; }; }; + katnet.public.tcp.ports = singleton 8999; + services.nginx.virtualHosts."sync.kittywit.ch" = { enableACME = true; forceSSL = true; @@ -23,8 +27,8 @@ SYNCPLAY_SALT = witch.secrets.hosts.athame.syncplay.salt; }; description = "Syncplay Service"; - wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target " ]; + wantedBy = singleton "multi-user.target"; + after = singleton "network-online.target"; serviceConfig = { ExecStart = diff --git a/services/taskserver.nix b/services/taskserver.nix index f5a3889d..e1927db5 100644 --- a/services/taskserver.nix +++ b/services/taskserver.nix @@ -1,8 +1,14 @@ { config, lib, ... }: +with lib; + { - services.taskserver.enable = true; - services.taskserver.fqdn = "kittywit.ch"; - services.taskserver.listenHost = "::"; - services.taskserver.organisations.kittywitch.users = [ "kat" ]; + katnet.public.tcp.ports = singleton 53589; + + services.taskserver = { + enable = true; + fqdn = "kittywit.ch"; + listenHost = "::"; + organisations.kittywitch.users = singleton "kat"; + }; } diff --git a/services/znc.nix b/services/znc.nix index 080e6d25..ee2c7753 100644 --- a/services/znc.nix +++ b/services/znc.nix @@ -1,6 +1,10 @@ -{ config, pkgs, witch, ... }: +{ config, lib, pkgs, witch, ... }: + +with lib; { + katnet.public.tcp.ports = singleton 5001; + services.znc = { enable = true; mutable = false;