continuing dev

2025-07-06 22:30:13 +00:00 · 2025-01-29 21:12:48 -05:00
parent c7933f8502
commit 0ebd0bac2c
55 changed files with 362 additions and 347 deletions
--- a/modules/nixos/services/cloudflare.nix
+++ b/modules/nixos/services/cloudflare.nix
@ -1,157 +0,0 @@
-# This module is necessary for hosts that are serving through Cloudflare.
-
-# Cloudflare is a CDN service that is used to serve the domain names and
-# caching for my websites and services. Since Cloudflare acts as our proxy, we
-# must allow access over the Internet from Cloudflare's IP ranges.
-
-# We also want to validate our HTTPS certificates from Caddy. We'll use Caddy's
-# DNS validation plugin to connect to Cloudflare and automatically create
-# validation DNS records for our generated certificates.
-
-{
-  config,
-  pkgs,
-  pkgs-caddy,
-  lib,
-  ...
-}:
-
-let
-
-  cloudflareIpRanges = [
-
-    # Cloudflare IPv4: https://www.cloudflare.com/ips-v4
-    "173.245.48.0/20"
-    "103.21.244.0/22"
-    "103.22.200.0/22"
-    "103.31.4.0/22"
-    "141.101.64.0/18"
-    "108.162.192.0/18"
-    "190.93.240.0/20"
-    "188.114.96.0/20"
-    "197.234.240.0/22"
-    "198.41.128.0/17"
-    "162.158.0.0/15"
-    "104.16.0.0/13"
-    "104.24.0.0/14"
-    "172.64.0.0/13"
-    "131.0.72.0/22"
-
-    # Cloudflare IPv6: https://www.cloudflare.com/ips-v6
-    "2400:cb00::/32"
-    "2606:4700::/32"
-    "2803:f800::/32"
-    "2405:b500::/32"
-    "2405:8100::/32"
-    "2a06:98c0::/29"
-    "2c0f:f248::/32"
-  ];
-in
-{
-
-  options.cloudflare.enable = lib.mkEnableOption "Use Cloudflare.";
-
-  options.cloudflare.noProxyDomains = lib.mkOption {
-    type = lib.types.listOf lib.types.str;
-    description = "Domains to use for dyndns without CDN proxying.";
-    default = [ ];
-  };
-
-  config = lib.mkIf config.cloudflare.enable {
-
-    # Forces Caddy to error if coming from a non-Cloudflare IP
-    caddy.cidrAllowlist = cloudflareIpRanges;
-
-    # Tell Caddy to use Cloudflare DNS for ACME challenge validation
-    services.caddy.package = pkgs-caddy.caddy.override {
-      externalPlugins = [
-        {
-          name = "cloudflare";
-          repo = "github.com/caddy-dns/cloudflare";
-          version = "master";
-        }
-      ];
-      vendorHash = "sha256-C7JOGd4sXsRZL561oP84V2/pTg7szEgF4OFOw35yS1s=";
-    };
-    caddy.tlsPolicies = [
-      {
-        issuers = [
-          {
-            module = "acme";
-            email = "acme@${config.mail.server}";
-            account_key = "{env.ACME_ACCOUNT_KEY}";
-            challenges = {
-              dns = {
-                provider = {
-                  name = "cloudflare";
-                  api_token = "{env.CLOUDFLARE_API_TOKEN}";
-                };
-                resolvers = [ "1.1.1.1" ];
-              };
-            };
-          }
-        ];
-      }
-    ];
-    # Allow Caddy to read Cloudflare API key for DNS validation
-    systemd.services.caddy.serviceConfig.EnvironmentFile = [
-      config.secrets.cloudflare-api.dest
-      config.secrets.letsencrypt-key.dest
-    ];
-
-    # Private key is used for LetsEncrypt
-    secrets.letsencrypt-key = {
-      source = ../../../private/letsencrypt-key.age;
-      dest = "${config.secretsDirectory}/letsencrypt-key";
-      owner = "caddy";
-      group = "caddy";
-    };
-
-    # API key must have access to modify Cloudflare DNS records
-    secrets.cloudflare-api = {
-      source = ../../../private/cloudflare-api.age;
-      dest = "${config.secretsDirectory}/cloudflare-api";
-      owner = "caddy";
-      group = "caddy";
-    };
-
-    # Wait for secret to exist
-    systemd.services.caddy = {
-      after = [
-        "cloudflare-api-secret.service"
-        "letsencrypt-key-secret.service"
-      ];
-      requires = [
-        "cloudflare-api-secret.service"
-        "letsencrypt-key-secret.service"
-      ];
-    };
-
-    # Allows Nextcloud to trust Cloudflare IPs
-    services.nextcloud.settings.trusted_proxies = cloudflareIpRanges;
-
-    # Allows Transmission to trust Cloudflare IPs
-    services.transmission.settings.rpc-whitelist = builtins.concatStringsSep "," (
-      [ "127.0.0.1" ] ++ cloudflareIpRanges
-    );
-
-    # Using dyn-dns instead of ddclient because I can't find a way to choose
-    # between proxied and non-proxied records for Cloudflare using just
-    # ddclient.
-    services.cloudflare-dyndns =
-      lib.mkIf ((builtins.length config.services.cloudflare-dyndns.domains) > 0)
-        {
-          enable = true;
-          proxied = true;
-          deleteMissing = true;
-          apiTokenFile = config.secrets.cloudflare-api.dest;
-        };
-
-    # Wait for secret to exist to start
-    systemd.services.cloudflare-dyndns = lib.mkIf config.services.cloudflare-dyndns.enable {
-      after = [ "cloudflare-api-secret.service" ];
-      requires = [ "cloudflare-api-secret.service" ];
-    };
-
-  };
-}
--- a/modules/nixos/services/honeypot.nix
+++ b/modules/nixos/services/honeypot.nix
@ -1,81 +0,0 @@
-# This is a tool for blocking IPs of anyone who attempts to scan all of my
-# ports.
-
-# Currently has some issues that don't make this viable.
-
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-
-# Taken from:
-# https://dataswamp.org/~solene/2022-09-29-iblock-implemented-in-nixos.html
-
-# You will need to flush all rules when removing:
-# https://serverfault.com/questions/200635/best-way-to-clear-all-iptables-rules
-
-let
-
-  portsToBlock = [
-    25545
-    25565
-    25570
-  ];
-  portsString = builtins.concatStringsSep "," (builtins.map builtins.toString portsToBlock);
-
-  # Block IPs for 20 days
-  expire = 60 * 60 * 24 * 20;
-
-  rules = table: [
-    "INPUT -i eth0 -p tcp -m multiport --dports ${portsString} -m state --state NEW -m recent --set"
-    "INPUT -i eth0 -p tcp -m multiport --dports ${portsString} -m state --state NEW -m recent --update --seconds 10 --hitcount 1 -j SET --add-set ${table} src"
-    "INPUT -i eth0 -p tcp -m set --match-set ${table} src -j nixos-fw-refuse"
-    "INPUT -i eth0 -p udp -m set --match-set ${table} src -j nixos-fw-refuse"
-  ];
-
-  create-rules = lib.concatStringsSep "\n" (
-    builtins.map (rule: "iptables -C " + rule + " || iptables -A " + rule) (rules "blocked")
-    ++ builtins.map (rule: "ip6tables -C " + rule + " || ip6tables -A " + rule) (rules "blocked6")
-  );
-
-  delete-rules = lib.concatStringsSep "\n" (
-    builtins.map (rule: "iptables -C " + rule + " && iptables -D " + rule) (rules "blocked")
-    ++ builtins.map (rule: "ip6tables -C " + rule + " && ip6tables -D " + rule) (rules "blocked6")
-  );
-in
-{
-
-  options.honeypot.enable = lib.mkEnableOption "Honeypot fail2ban system.";
-
-  config.networking.firewall = lib.mkIf config.honeypot.enable {
-
-    extraPackages = [ pkgs.ipset ];
-    # allowedTCPPorts = portsToBlock;
-
-    # Restore ban list when starting up
-    extraCommands = ''
-      if test -f /var/lib/ipset.conf
-      then
-          ipset restore -! < /var/lib/ipset.conf
-      else
-          ipset -exist create blocked hash:ip ${if expire > 0 then "timeout ${toString expire}" else ""}
-          ipset -exist create blocked6 hash:ip family inet6 ${
-            if expire > 0 then "timeout ${toString expire}" else ""
-          }
-      fi
-      ${create-rules}
-    '';
-
-    # Save list when shutting down
-    extraStopCommands = ''
-      ipset -exist create blocked hash:ip ${if expire > 0 then "timeout ${toString expire}" else ""}
-      ipset -exist create blocked6 hash:ip family inet6 ${
-        if expire > 0 then "timeout ${toString expire}" else ""
-      }
-      ipset save > /var/lib/ipset.conf
-      ${delete-rules}
-    '';
-  };
-}