networking and security updates

2024-11-15 05:13:10 +01:00 · 2023-11-25 23:22:16 +01:00 · 2023-11-25 23:22:16 +01:00 · 2e8e3ada22
parent ccfcd6db3a
commit 2e8e3ada22
7 changed files with 29 additions and 15 deletions
--- a/flake.lock
+++ b/flake.lock
@ -179,11 +179,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1700695018,
-        "narHash": "sha256-MAiPLgBF4GLzSOlhnPCDWkWW5CDx4i7ApIYaR+TwTVg=",
+        "lastModified": 1700847865,
+        "narHash": "sha256-uWaOIemGl9LF813MW0AEgCBpKwFo2t1Wv3BZc6e5Frw=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "134deb46abd5d0889d913b8509413f6f38b0811e",
+        "rev": "8cedd63eede4c22deb192f1721dd67e7460e1ebe",
        "type": "github"
      },
      "original": {
@ -295,11 +295,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1700612854,
-        "narHash": "sha256-yrQ8osMD+vDLGFX7pcwsY/Qr5PUd6OmDMYJZzZi0+zc=",
+        "lastModified": 1700794826,
+        "narHash": "sha256-RyJTnTNKhO0yqRpDISk03I/4A67/dp96YRxc86YOPgU=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "19cbff58383a4ae384dea4d1d0c823d72b49d614",
+        "rev": "5a09cb4b393d58f9ed0d9ca1555016a8543c2ac8",
        "type": "github"
      },
      "original": {
--- a/hosts/falkenstein/default.nix
+++ b/hosts/falkenstein/default.nix
@ -54,8 +54,6 @@
  # Enable the OpenSSH daemon.
  services.openssh = {
    enable = true;
-    # clean up the logs a bit
-    ports = [ 2222 ];
    settings.PasswordAuthentication = false;
  };
  programs.mosh.enable = true;
--- a/hosts/falkenstein/modules/fail2ban/default.nix
+++ b/hosts/falkenstein/modules/fail2ban/default.nix
@ -1,4 +1,4 @@
-{ ... }:
+{ lib, ... }:
 {
  services.fail2ban = {
    enable = true;
@ -7,11 +7,15 @@
      enable = true;
    };
    jails = {
+      sshd = lib.mkForce ''
+        enabled = true
+        port = ssh
+        filter= sshd[mode=aggressive]
+      '';
      dovecot = ''
        enabled = true
        # aggressive mode add blocking for aborted connections
        filter = dovecot[mode=aggressive]
-        bantime = 10m
        maxretry = 3
      '';
      postfix = ''
--- a/hosts/falkenstein/modules/mail/default.nix
+++ b/hosts/falkenstein/modules/mail/default.nix
@ -15,10 +15,9 @@ let
 in
 {
  networking.firewall.allowedTCPPorts = [
-    25 # insecure SMTP
-    465
-    587 # SMTP
-    993 # IMAP
+    25 # SMTP
+    465 # SUBMISSONS
+    993 # IMAPS
    4190 # sieve
  ];
  users.users.rouven = {
--- a/hosts/thinkpad/default.nix
+++ b/hosts/thinkpad/default.nix
@ -56,6 +56,16 @@
    HibernateDelaySec=2h
  '';

+  services.mysql = {
+    enable = true;
+    package = pkgs.mariadb;
+    ensureUsers = [
+      {
+        name = "user1";
+      }
+    ];
+  };
+
  services.logind = {
    lidSwitch = "suspend-then-hibernate";
    lidSwitchDocked = "suspend-then-hibernate";
--- a/hosts/thinkpad/modules/networks/default.nix
+++ b/hosts/thinkpad/modules/networks/default.nix
@ -41,7 +41,9 @@
    hostName = "thinkpad";
    hostId = "d8d34032";
    enableIPv6 = true;
-    firewall.allowedTCPPorts = [ 24727 ];
+    firewall = {
+      logRefusedConnections = false;
+    };
    wireless = {
      enable = true;
      userControlled.enable = true;
--- a/hosts/thinkpad/modules/sound/default.nix
+++ b/hosts/thinkpad/modules/sound/default.nix
@ -9,5 +9,6 @@
  };
  environment.systemPackages = with pkgs; [
    qpwgraph
+    easyeffects
  ];
 }