Commit 5a39c87d authored by fpletz's avatar fpletz 🚧
Browse files

luftschleuse: custom ssh moduli, tighten firewall

parent 1fe94f73
......@@ -11,7 +11,7 @@ let
cmd = "unlockfront";
}
{ user = "close";
msg = "Unlocking back door";
msg = "Locking back door";
cmd = "lock";
}
];
......@@ -50,7 +50,10 @@ in
interfaces.wlan0 = {
ipv4.addresses = [ { address = "192.168.2.2"; prefixLength = 24; } ];
};
firewall.trustedInterfaces = [ "wlan0" "eth0" ];
firewall = {
allowedUDPPorts = [ 53 67 ];
allowedTCPPorts = [ 22 80 ];
};
};
systemd.network.links."30-eth0" = {
......@@ -68,7 +71,7 @@ in
dhcpV4Config.ClientIdentifier = "mac";
};
environment.systemPackages = with pkgs; [ colmena lm_sensors ];
environment.systemPackages = with pkgs; [ lm_sensors ];
services.fail2ban.enable = false;
......@@ -150,7 +153,8 @@ in
};
services.nginx = {
enable = true;
# FIXME: make android believe there is internetz
enable = false;
virtualHosts."_" = {
root = "/nonexisting";
locations."/generate_204".extraConfig = "return 204;";
......
......@@ -33,6 +33,7 @@
services.openssh = {
enable = true;
passwordAuthentication = lib.mkDefault false;
moduliFile = ../static/ssh-moduli;
};
services.fail2ban.enable = lib.mkDefault true;
......
This diff is collapsed.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment