upd nixos conf

2026-04-05 16:01:45 +00:00 · 2026-03-11 19:51:37 +03:00 · 2026-03-11 19:51:37 +03:00 · b5256d79fa
commit b5256d79fa
parent 634d976a43
1 changed files with 65 additions and 6 deletions
--- a/nixos/configuration.nix
+++ b/nixos/configuration.nix
@ -18,10 +18,15 @@
    "net.ipv6.conf.default.disable_ipv6" = 1;
    "net.ipv6.conf.lo.disable_ipv6" = 1;
  };
+  hardware.enableRedistributableFirmware = true;
+  boot.extraModulePackages = with config.boot.kernelPackages; [
+    r8125
+  ];
+  boot.kernelModules = [ "r8169" ];

  networking.hostName = "homelab"; # Define your hostname.
  networking.networkmanager.wifi.powersave = false;
-  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+  networking.wireless.enable = false;  # Enables wireless support via wpa_supplicant.

  # Configure network proxy if necessary
  # networking.proxy.default = "http://user:password@proxy:port/";
@ -51,15 +56,68 @@
  # My Services
  services.caddy.enable = true;
  services.caddy.configFile = "/opt/homelab/services/caddy/Caddyfile";
+  systemd.tmpfiles.rules = [
+  "d /var/log/caddy 0750 caddy caddy -"
+  ];
+  services.fail2ban.jails.sshd = {
+  enabled = true;
+  settings = {
+    port = "ssh";        # or "22"
+    backend = "systemd";
+    maxretry = 5;
+    findtime = "10m";
+    bantime = "12h";
+    };
+  };
+  services.fail2ban = {
+    enable = true;
+
+    #LAN
+    ignoreIP = [
+      "127.0.0.1/8"
+      "192.168.1.0/24"
+    ];
+    jails.vaultwarden = ''
+      enabled = true
+      filter = vaultwarden
+      logpath = /var/log/caddy/access.log
+      backend = auto
+      port = http,https
+      bantime = 1h
+      findtime = 10m
+      maxretry = 5
+    '';
+   };
  

+  environment.etc."fail2ban/filter.d/vaultwarden.conf".text = ''
+    [Definition]
+    # Vaultwarden login endpoint
+    failregex = ^.*"remote_ip":"<HOST>".*"host":"vault\.sesur\.dev".*"uri":"\/identity\/connect\/token".*"status":(400|401).*$
+    ignoreregex =
+  '';
+  
+  # Disable suspend of my homelab. Added when my server every ~15 minutes suspend.
+  services.logind.settings.Login = {
+  HandlePowerKey = "poweroff";
+  HandleSuspendKey = "ignore";
+  HandleHibernateKey = "ignore";
+  HandleLidSwitch = "ignore";
+  IdleAction = "ignore";
+  };
+
+  # Hard block at systemd level (cannot suspend even if requested)
+  systemd.targets.sleep.enable = false;
+  systemd.targets.suspend.enable = false;
+  systemd.targets.hibernate.enable = false;
+  systemd.targets.hybrid-sleep.enable = false;
  
  # Enable the X11 windowing system.
-  services.xserver.enable = true;
+  services.xserver.enable = false;

  # Enable the GNOME Desktop Environment.
-  services.xserver.displayManager.gdm.enable = true;
-  services.xserver.desktopManager.gnome.enable = true;
+  services.xserver.displayManager.gdm.enable = false;
+  services.xserver.desktopManager.gnome.enable = false;
  services.xserver.displayManager.gdm.autoSuspend = false;

  # Configure keymap in X11
@ -115,6 +173,7 @@
    btop
    dig
    curl
+    pciutils
    git
    pkgs.inetutils
    pkgs.lsof
@ -173,7 +232,7 @@


  # Open ports in the firewall.
-  networking.firewall.allowedTCPPorts = [22 80 443 53 9999 ];
+  networking.firewall.allowedTCPPorts = [22 80 443 53 ];
  networking.firewall.allowedUDPPorts = [ 53 ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.