From 5a0cb28f369c104bb371974df876c8c705b0ee7e Mon Sep 17 00:00:00 2001
From: ene <ene@sils.li>
Date: Sat, 18 Mar 2023 16:21:45 +0100
Subject: Refactor: Use better file layout

---
 system/services/default.nix | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 system/services/default.nix

(limited to 'system/services/default.nix')

diff --git a/system/services/default.nix b/system/services/default.nix
new file mode 100644
index 0000000..acf20f5
--- /dev/null
+++ b/system/services/default.nix
@@ -0,0 +1,9 @@
+{config, ...}: {
+  imports = [
+    ./acme
+    ./nginx
+    ./nix
+    ./opensshd
+    ./rust-motd
+  ];
+}
-- 
cgit 1.4.1


From 083a7cbb9623c90468c887203bf95adc5f2e3201 Mon Sep 17 00:00:00 2001
From: ene <ene@sils.li>
Date: Sun, 19 Mar 2023 17:43:26 +0100
Subject: Fix(system/mail): Only accept connections on safe ports

It is sort of standard to ignore connections over the unencrypted port
25, thus we are doing the same.
---
 system/mail/default.nix              |  4 ++--
 system/services/default.nix          |  2 ++
 system/services/firewall/default.nix | 11 +++++++++++
 3 files changed, 15 insertions(+), 2 deletions(-)
 create mode 100644 system/services/firewall/default.nix

(limited to 'system/services/default.nix')

diff --git a/system/mail/default.nix b/system/mail/default.nix
index 8eaa53b..7102958 100644
--- a/system/mail/default.nix
+++ b/system/mail/default.nix
@@ -30,13 +30,11 @@ in {
     "admin@vhack.eu" = all_admins;
   };
 
-
   mailDirectory = "/srv/mail/vmail";
   dkimKeyDirectory = "/srv/mail/dkim";
   sieveDirectory = "/srv/mail/sieve";
   backup.snapshotRoot = "/srv/mail/backup";
 
-
   enableImap = false;
   enableImapSsl = true;
   enablePop3 = false;
@@ -44,8 +42,10 @@ in {
   # SMTP
   enableSubmission = false;
   enableSubmissionSsl = true;
+  openFirewall = false; # handled below
 
   keyFile = "/var/lib/acme/server1.vhack.eu/key.pem";
   certificateScheme = 1;
   certificateFile = "/var/lib/acme/server1.vhack.eu/fullchain.pem";
+
 }
diff --git a/system/services/default.nix b/system/services/default.nix
index acf20f5..4c39b8b 100644
--- a/system/services/default.nix
+++ b/system/services/default.nix
@@ -1,6 +1,8 @@
 {config, ...}: {
   imports = [
     ./acme
+    ./firewall
+    ./minecraft
     ./nginx
     ./nix
     ./opensshd
diff --git a/system/services/firewall/default.nix b/system/services/firewall/default.nix
new file mode 100644
index 0000000..23dbcc4
--- /dev/null
+++ b/system/services/firewall/default.nix
@@ -0,0 +1,11 @@
+# vim: ts=2
+{...}: {
+  networking.firewall = {
+    allowedTCPPorts = [
+      # for mail protocols:
+      465 # SMTP SSL
+      995 # POP3 SSL
+      993 # IMAP SSL
+    ];
+  };
+}
-- 
cgit 1.4.1


From 055f4e0191bba4c0dc1000dd2089906119717883 Mon Sep 17 00:00:00 2001
From: ene <ene@sils.li>
Date: Sun, 19 Mar 2023 17:46:18 +0100
Subject: Fix(system/services/minecraft): Remove to make compile

---
 system/services/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'system/services/default.nix')

diff --git a/system/services/default.nix b/system/services/default.nix
index 4c39b8b..f36cb29 100644
--- a/system/services/default.nix
+++ b/system/services/default.nix
@@ -2,7 +2,7 @@
   imports = [
     ./acme
     ./firewall
-    ./minecraft
+    #./minecraft
     ./nginx
     ./nix
     ./opensshd
-- 
cgit 1.4.1


From 8d8ad7a9f79ba88cc5b07e8f5f4d1a4cded4ff1b Mon Sep 17 00:00:00 2001
From: ene <ene@sils.li>
Date: Sat, 25 Mar 2023 13:41:53 +0100
Subject: Feat(system/services/fail2ban): Add fail2ban

This should clear the logs somewhat.
---
 system/services/default.nix          |  1 +
 system/services/fail2ban/default.nix | 14 ++++++++++++++
 2 files changed, 15 insertions(+)
 create mode 100644 system/services/fail2ban/default.nix

(limited to 'system/services/default.nix')

diff --git a/system/services/default.nix b/system/services/default.nix
index f36cb29..5d9e5b6 100644
--- a/system/services/default.nix
+++ b/system/services/default.nix
@@ -7,5 +7,6 @@
     ./nix
     ./opensshd
     ./rust-motd
+    ./fail2ban
   ];
 }
diff --git a/system/services/fail2ban/default.nix b/system/services/fail2ban/default.nix
new file mode 100644
index 0000000..5b5e9e7
--- /dev/null
+++ b/system/services/fail2ban/default.nix
@@ -0,0 +1,14 @@
+# vim: ts=2
+{...}: {
+  services.fail2ban = {
+    enable = true;
+    maxretry = 2; # ban after 2 failures
+    bantime-increment = {
+      enable = true;
+      rndtime = "8m";
+      overalljails = true;
+      multipliers = "2 4 16 128 256";
+      maxtime = "72h";
+    };
+  };
+}
-- 
cgit 1.4.1


From cb92ffc878fcb417bd66b3b30ef1ff189a5aa44c Mon Sep 17 00:00:00 2001
From: ene <ene@sils.li>
Date: Fri, 7 Apr 2023 22:02:24 +0200
Subject: Fix(system/mail): Allow opening ports in the firewall

As the previous configuration only opened some ports, receiving mail was
impossible. This allows NSM to open the required ports directly,
ensuring that none was missed.

SECURITY:
As all other options than SSL are still disabled, this change should not
introduce unencrypted mail transfer.
This has not been tested.
---
 system/mail/default.nix     | 2 +-
 system/services/default.nix | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

(limited to 'system/services/default.nix')

diff --git a/system/mail/default.nix b/system/mail/default.nix
index d2fd55c..b1da088 100644
--- a/system/mail/default.nix
+++ b/system/mail/default.nix
@@ -42,7 +42,7 @@ in {
   # SMTP
   enableSubmission = false;
   enableSubmissionSsl = true;
-  openFirewall = false; # handled below
+  openFirewall = true;
 
   keyFile = "/var/lib/acme/server1.vhack.eu/key.pem";
   certificateScheme = 1;
diff --git a/system/services/default.nix b/system/services/default.nix
index 5d9e5b6..6e5cb3c 100644
--- a/system/services/default.nix
+++ b/system/services/default.nix
@@ -1,7 +1,7 @@
 {config, ...}: {
   imports = [
     ./acme
-    ./firewall
+#  ./firewall
     #./minecraft
     ./nginx
     ./nix
-- 
cgit 1.4.1