Nix
/
nix-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(system/core, -||-/services): add security modules - firejail, firewall, fail2ban

This commit is contained in:
madmin 2024-09-01 16:05:39 +02:00
parent cad1551224
commit b7a5d89ed2
4 changed files with 74 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
home/laozi/common/core/firejail.nix
View File

@ -1,34 +0,0 @@
{ pkgs, ... }:
{
programs.firejail = {
enable = true;
wrappedBinaries = {
librewolf = {
executable = "${pkgs.librewolf}/bin/librewolf";
profile = "${pkgs.firejail}/etc/firejail/librewolf.profile";
extraArgs = [
# Required for U2F USB stick
"--ignore=private-dev"
# Enforce dark mode
"--env=GTK_THEME=Adwaita:dark"
# Enable system notifications
"--dbus-user.talk=org.freedesktop.Notifications"
];
};
signal-desktop = {
# Enable tray icon otherwise Signal window might be hidden
executable = "${pkgs.signal-desktop}/bin/signal-desktop --use-tray-icon";
profile = "${pkgs.firejail}/etc/firejail/signal-desktop.profile";
extraArgs = [
# Enforce dark mode
"--env=GTK_THEME=Adwaita:dark"
#TODO: Enable Wayland mode
#"--env=NIXOS_OZONE_WL=1"
# Allow tray icon (should be upstreamed into signal-desktop.profile)
"--dbus-user.talk=org.kde.StatusNotifierWatcher"
];
};
};
};
}

7
systems/common/core/networking.nix Normal file
View File

@ -0,0 +1,7 @@
{ configVars, ... }:
{
networking.firewall = {
enable = true;
};
}

60
systems/common/core/services/fail2ban.nix
View File

@ -1,7 +1,8 @@
# http://web.archive.org/web/20240621185719/https://dataswamp.org/~solene/2022-10-02-nixos-fail2ban.html # http://web.archive.org/web/20240621185719/https://dataswamp.org/~solene/2022-10-02-nixos-fail2ban.html
{ pkgs, ... }:
{ {
services.fail2ban = { services.fail2ban = {
enable = true; enable = false;
ignoreIP = [ ignoreIP = [
"192.168.1.0/24" "192.168.1.0/24"
]; ];
@ -10,35 +11,36 @@
banaction = "iptables-ipset-proto6-allports"; banaction = "iptables-ipset-proto6-allports";
jails = { jails = {
# max 6 failures in 600 seconds # max 6 failures in 600 seconds
"nginx-spam" = '' "nginx-spam" = ''
enabled = true enabled = true
filter = nginx-bruteforce filter = nginx-bruteforce
logpath = /var/log/nginx/access.log logpath = /var/log/nginx/access.log
backend = auto backend = auto
maxretry = 6 maxretry = 6
findtime = 600 findtime = 600
''; '';
# max 3 failures in 600 seconds # max 3 failures in 600 seconds
"postfix-bruteforce" = '' "postfix-bruteforce" = ''
enabled = true enabled = true
filter = postfix-bruteforce filter = postfix-bruteforce
findtime = 600 findtime = 600
maxretry = 3 maxretry = 3
''; '';
# max 10 failures in 600 seconds # max 10 failures in 600 seconds
"molly" = '' "molly" = ''
enabled = true enabled = true
filter = molly filter = molly
findtime = 600 findtime = 600
maxretry = 10 maxretry = 10
logpath = /var/log/molly-brown/access.log logpath = /var/log/molly-brown/access.log
backend = auto backend = auto
''; '';
};
}; };
environment.etc = { environment.etc = {
"fail2ban/filter.d/molly.conf".text = '' "fail2ban/filter.d/molly.conf".text = ''
@ -58,7 +60,5 @@
''; '';
}; };
} }

36
systems/common/core/services/firejail.nix
View File

@ -1,2 +1,34 @@
{ pkgs, ... }: { config, lib, pkgs, ... }:
{ } {
programs.firejail = {
enable = true;
wrappedBinaries = {
librewolf = {
executable = "${pkgs.librewolf}/bin/librewolf";
profile = "${pkgs.firejail}/etc/firejail/librewolf.profile";
extraArgs = [
# Required for U2F USB stick
"--ignore=private-dev"
# Enforce dark mode
"--env=GTK_THEME=Adwaita:dark"
# Enable system notifications
"--dbus-user.talk=org.freedesktop.Notifications"
];
};
signal-desktop = {
# Enable tray icon otherwise Signal window might be hidden
executable = "${pkgs.signal-desktop}/bin/signal-desktop --use-tray-icon";
profile = "${pkgs.firejail}/etc/firejail/signal-desktop.profile";
extraArgs = [
# Enforce dark mode
"--env=GTK_THEME=Adwaita:dark"
#TODO: Enable Wayland mode
#"--env=NIXOS_OZONE_WL=1"
# Allow tray icon (should be upstreamed into signal-desktop.profile)
"--dbus-user.talk=org.kde.StatusNotifierWatcher"
];
};
};
};
}