luftschleuse: custom ssh moduli, tighten firewall

5a39c87d · fpletz · 1fe94f73 · 5a39c87d · 5a39c87d · 5a39c87d
Commit 5a39c87d authored Apr 01, 2022 by fpletz 🚧
--- a/luftschleuse.nix
+++ b/luftschleuse.nix
@@ -11,7 +11,7 @@ let
      cmd = "unlockfront";
    }
    { user = "close";
-      msg = "Unlocking back door";
+      msg = "Locking back door";
      cmd = "lock";
    }
  ];
@@ -50,7 +50,10 @@ in
    interfaces.wlan0 = {
      ipv4.addresses = [ { address = "192.168.2.2"; prefixLength = 24; } ];
    };
-    firewall.trustedInterfaces = [ "wlan0" "eth0" ];
+    firewall = {
+      allowedUDPPorts = [ 53 67 ];
+      allowedTCPPorts = [ 22 80 ];
+    };
  };

  systemd.network.links."30-eth0" = {
@@ -68,7 +71,7 @@ in
    dhcpV4Config.ClientIdentifier = "mac";
  };

-  environment.systemPackages = with pkgs; [ colmena lm_sensors ];
+  environment.systemPackages = with pkgs; [ lm_sensors ];

  services.fail2ban.enable = false;

@@ -150,7 +153,8 @@ in
  };

  services.nginx = {
-    enable = true;
+    # FIXME: make android believe there is internetz
+    enable = false;
    virtualHosts."_" = {
      root = "/nonexisting";
      locations."/generate_204".extraConfig = "return 204;";

--- a/modules/default.nix
+++ b/modules/default.nix
@@ -33,6 +33,7 @@
  services.openssh = {
    enable = true;
    passwordAuthentication = lib.mkDefault false;
+    moduliFile = ../static/ssh-moduli;
  };
  services.fail2ban.enable = lib.mkDefault true;


--- a/static/ssh-moduli
+++ b/static/ssh-moduli