modules/nixos/katnet: Firewall handler

2026-02-10 04:49:19 -08:00 · 2021-04-27 22:25:56 +01:00 · 2021-04-27 22:25:56 +01:00 · 874974c48a
commit 874974c48a
parent ba57815abd
12 changed files with 186 additions and 184 deletions
--- a/hosts/athame/nixos/default.nix
+++ b/hosts/athame/nixos/default.nix
@ -29,13 +29,6 @@

  deploy.target = "infra";

-  security.acme.certs."athame.net.kittywit.ch" = {
-    domain = "athame.net.kittywit.ch";
-    dnsProvider = "rfc2136";
-    credentialsFile = config.secrets.files.dns_creds.path;
-    group = "nginx";
-  };
-
  networking = {
    hostName = "athame";
    domain = "kittywit.ch";
@ -54,39 +47,8 @@
    interface = "enp1s0";
  };

-  networking.firewall.interfaces.hexnet.allowedTCPPorts = [
-    80 # http
-    443 # https
-  ];
-
-  networking.firewall.interfaces.enp1s0.allowedTCPPorts = [
-    80 # http
-    443 # https
-    5160 # asterisk
-    5060 # asterisk
-    8999 # syncplay
-    64738 # murmur
-    1935 # rtmp
-    53589 # taskwarrior
-    5001 # znc
-    62969 # yggdrasil
-  ];
-
-  networking.firewall.interfaces.enp1s0.allowedUDPPorts = [
-    5160 # asterisk
-    5060 # asterisk
-    64738 # murmur
-  ];
-
-  networking.firewall.interfaces.enp1s0.allowedTCPPortRanges = [{
-    from = 10000;
-    to = 20000;
-  }]; # asterisk
-
-  networking.firewall.interfaces.enp1s0.allowedUDPPortRanges = [{
-    from = 10000;
-    to = 20000;
-  }]; # asterisk
+  katnet.public.interfaces = singleton "enp1s0";
+  katnet.private.interfaces = singleton "hexnet";

  deploy.tf.dns.records.kittywitch_athame_v6 = {
    tld = "kittywit.ch.";
--- a/hosts/athame/nixos/fail2ban.nix
+++ b/hosts/athame/nixos/fail2ban.nix
@ -1,84 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  services.fail2ban = {
-    enable = true;
-    jails = {
-      DEFAULT = ''
-        bantime  = 1d
-        blocktype = DROP
-        logpath  = /var/log/auth.log
-      '';
-      asterisk = ''
-        enabled  = true
-        filter   = asterisk
-        action   = iptables-allports[name=ASTERISK, protocol=all]
-        logpath  = /var/log/asterisk/messages
-        maxretry = 4
-      '';
-      ssh = ''
-        enabled = true
-        filter = sshd
-        maxretry = 4
-        action = iptables[name=SSH, port=ssh, protocol=tcp]
-      '';
-      sshd-ddos = ''
-        enabled  = true
-        filter = sshd-ddos
-        maxretry = 4
-        action   = iptables[name=ssh, port=ssh, protocol=tcp]
-      '';
-      postfix = ''
-        enabled  = true
-        filter   = postfix
-        maxretry = 3
-        action   = iptables[name=postfix, port=smtp, protocol=tcp]
-      '';
-      postfix-sasl = ''
-        enabled  = true
-        filter   = postfix-sasl
-        port     = postfix,imap3,imaps,pop3,pop3s
-        maxretry = 3
-        action   = iptables[name=postfix, port=smtp, protocol=tcp]
-      '';
-      postfix-ddos = ''
-        enabled  = true
-        filter   = postfix-ddos
-        maxretry = 3
-        action   = iptables[name=postfix, port=submission, protocol=tcp]
-        bantime  = 7200
-      '';
-    };
-  };
-
-  environment.etc."fail2ban/filter.d/postfix-sasl.conf" = {
-    enable = true;
-    text = ''
-      # Fail2Ban filter for postfix authentication failures
-      [INCLUDES]
-      before = common.conf
-      [Definition]
-      daemon = postfix/smtpd
-      failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
-    '';
-  };
-
-  environment.etc."fail2ban/filter.d/postfix-ddos.conf" = {
-    enable = true;
-    text = ''
-      [Definition]
-      failregex = lost connection after EHLO from \S+\[<HOST>\]
-    '';
-  };
-
-  environment.etc."fail2ban/filter.d/sshd-ddos.conf" = {
-    enable = true;
-    text = ''
-      [Definition]
-      failregex = sshd(?:\[\d+\])?: Did not receive identification string from <HOST>$
-      ignoreregex =
-    '';
-  };
-
-  systemd.services.fail2ban.serviceConfig.LimitSTACK = 128 * 1024;
-}
--- a/hosts/samhain/nixos/default.nix
+++ b/hosts/samhain/nixos/default.nix
@ -93,48 +93,6 @@ in {
  networking.interfaces.enp34s0.useDHCP = true;
  networking.firewall.allowPing = true;

-  services.nginx.appendConfig = ''
-    rtmp {
-      server {
-        listen [::]:1935 ipv6only=off;
-        application kattv {
-          live on;
-
-          allow publish all;
-          allow play all;
-        }
-      }
-    }
-  '';
-  
-  networking.firewall.interfaces.enp34s0.allowedTCPPorts = [
-    80 # http
-    443 # https
-  ];
-
-  networking.firewall.interfaces.hexnet.allowedTCPPorts = [
-    80 # http
-    443 # https
-    32101 # mpv
-    443 # https
-    111 # nfs
-    2049 # nfs
-    1935 # rtmp
-  ];
-
-  networking.firewall.interfaces.enp34s0.allowedUDPPorts = [
-    4010 # scream
-    111 # nfs
-    2049 # nfs
-  ];
-
-  networking.firewall.interfaces.hexnet.allowedUDPPorts = [ ];
-
-  networking.firewall.allowedUDPPortRanges = [{
-    from = 32768;
-    to = 60999;
-  }]; # dnla
-
  services.avahi.enable = true;

  hexchen.network = {
--- a/hosts/samhain/nixos/vm/default.nix
+++ b/hosts/samhain/nixos/vm/default.nix
@ -105,6 +105,8 @@
     };
  */

+  katnet.public.tcp.ports = [ 4010 ];
+
  home-manager.users.kat = {
    # audio for vm on startup
    systemd.user.services = {