Commit 5a39c87d authored by fpletz's avatar fpletz 🚧
Browse files

luftschleuse: custom ssh moduli, tighten firewall

parent 1fe94f73
...@@ -11,7 +11,7 @@ let ...@@ -11,7 +11,7 @@ let
cmd = "unlockfront"; cmd = "unlockfront";
} }
{ user = "close"; { user = "close";
msg = "Unlocking back door"; msg = "Locking back door";
cmd = "lock"; cmd = "lock";
} }
]; ];
...@@ -50,7 +50,10 @@ in ...@@ -50,7 +50,10 @@ in
interfaces.wlan0 = { interfaces.wlan0 = {
ipv4.addresses = [ { address = "192.168.2.2"; prefixLength = 24; } ]; ipv4.addresses = [ { address = "192.168.2.2"; prefixLength = 24; } ];
}; };
firewall.trustedInterfaces = [ "wlan0" "eth0" ]; firewall = {
allowedUDPPorts = [ 53 67 ];
allowedTCPPorts = [ 22 80 ];
};
}; };
systemd.network.links."30-eth0" = { systemd.network.links."30-eth0" = {
...@@ -68,7 +71,7 @@ in ...@@ -68,7 +71,7 @@ in
dhcpV4Config.ClientIdentifier = "mac"; dhcpV4Config.ClientIdentifier = "mac";
}; };
environment.systemPackages = with pkgs; [ colmena lm_sensors ]; environment.systemPackages = with pkgs; [ lm_sensors ];
services.fail2ban.enable = false; services.fail2ban.enable = false;
...@@ -150,7 +153,8 @@ in ...@@ -150,7 +153,8 @@ in
}; };
services.nginx = { services.nginx = {
enable = true; # FIXME: make android believe there is internetz
enable = false;
virtualHosts."_" = { virtualHosts."_" = {
root = "/nonexisting"; root = "/nonexisting";
locations."/generate_204".extraConfig = "return 204;"; locations."/generate_204".extraConfig = "return 204;";
......
...@@ -33,6 +33,7 @@ ...@@ -33,6 +33,7 @@
services.openssh = { services.openssh = {
enable = true; enable = true;
passwordAuthentication = lib.mkDefault false; passwordAuthentication = lib.mkDefault false;
moduliFile = ../static/ssh-moduli;
}; };
services.fail2ban.enable = lib.mkDefault true; services.fail2ban.enable = lib.mkDefault true;
......
This diff is collapsed.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment