diff --git a/nixos/configuration.nix b/nixos/configuration.nix index c7ad86f..596cb87 100644 --- a/nixos/configuration.nix +++ b/nixos/configuration.nix @@ -18,10 +18,15 @@ "net.ipv6.conf.default.disable_ipv6" = 1; "net.ipv6.conf.lo.disable_ipv6" = 1; }; + hardware.enableRedistributableFirmware = true; + boot.extraModulePackages = with config.boot.kernelPackages; [ + r8125 + ]; + boot.kernelModules = [ "r8169" ]; networking.hostName = "homelab"; # Define your hostname. networking.networkmanager.wifi.powersave = false; - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + networking.wireless.enable = false; # Enables wireless support via wpa_supplicant. # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; @@ -51,15 +56,68 @@ # My Services services.caddy.enable = true; services.caddy.configFile = "/opt/homelab/services/caddy/Caddyfile"; - + systemd.tmpfiles.rules = [ + "d /var/log/caddy 0750 caddy caddy -" + ]; + services.fail2ban.jails.sshd = { + enabled = true; + settings = { + port = "ssh"; # or "22" + backend = "systemd"; + maxretry = 5; + findtime = "10m"; + bantime = "12h"; + }; + }; + services.fail2ban = { + enable = true; + + #LAN + ignoreIP = [ + "127.0.0.1/8" + "192.168.1.0/24" + ]; + jails.vaultwarden = '' + enabled = true + filter = vaultwarden + logpath = /var/log/caddy/access.log + backend = auto + port = http,https + bantime = 1h + findtime = 10m + maxretry = 5 + ''; + }; + environment.etc."fail2ban/filter.d/vaultwarden.conf".text = '' + [Definition] + # Vaultwarden login endpoint + failregex = ^.*"remote_ip":"".*"host":"vault\.sesur\.dev".*"uri":"\/identity\/connect\/token".*"status":(400|401).*$ + ignoreregex = + ''; + + # Disable suspend of my homelab. Added when my server every ~15 minutes suspend. + services.logind.settings.Login = { + HandlePowerKey = "poweroff"; + HandleSuspendKey = "ignore"; + HandleHibernateKey = "ignore"; + HandleLidSwitch = "ignore"; + IdleAction = "ignore"; + }; + + # Hard block at systemd level (cannot suspend even if requested) + systemd.targets.sleep.enable = false; + systemd.targets.suspend.enable = false; + systemd.targets.hibernate.enable = false; + systemd.targets.hybrid-sleep.enable = false; + # Enable the X11 windowing system. - services.xserver.enable = true; + services.xserver.enable = false; # Enable the GNOME Desktop Environment. - services.xserver.displayManager.gdm.enable = true; - services.xserver.desktopManager.gnome.enable = true; + services.xserver.displayManager.gdm.enable = false; + services.xserver.desktopManager.gnome.enable = false; services.xserver.displayManager.gdm.autoSuspend = false; # Configure keymap in X11 @@ -115,6 +173,7 @@ btop dig curl + pciutils git pkgs.inetutils pkgs.lsof @@ -173,7 +232,7 @@ # Open ports in the firewall. - networking.firewall.allowedTCPPorts = [22 80 443 53 9999 ]; + networking.firewall.allowedTCPPorts = [22 80 443 53 ]; networking.firewall.allowedUDPPorts = [ 53 ]; # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether.