continuing dev

platforms/nixos/modules/nmasur/presets/services/bind.nix

@@ -34,7 +34,7 @@ in
 
     # Normally I block all requests not coming from Cloudflare, so I have to also
     # allow my local network.
-    caddy.cidrAllowlist = [ "192.168.0.0/16" ];
+    config.nmasur.presets.services.caddy.cidrAllowlist = [ "192.168.0.0/16" ];
 
     services.bind = {
 

platforms/nixos/modules/nmasur/presets/services/caddy.nix

@@ -50,10 +50,10 @@ in
   config = lib.mkIf cfg.enable {
 
     # Force Caddy to 403 if not coming from allowlisted source
-    caddy.cidrAllowlist = lib.mkDefault [ "127.0.0.1/32" ];
-    caddy.routes = lib.mkBefore [
+    cfg.cidrAllowlist = lib.mkDefault [ "127.0.0.1/32" ];
+    cfg.routes = lib.mkBefore [
       {
-        match = [ { not = [ { remote_ip.ranges = config.caddy.cidrAllowlist; } ]; } ];
+        match = [ { not = [ { remote_ip.ranges = cfg.cidrAllowlist; } ]; } ];
         handle = [
           {
             handler = "static_response";

platforms/nixos/modules/nmasur/presets/services/cloudflare.nix

@@ -0,0 +1,154 @@
+# This module is necessary for hosts that are serving through Cloudflare.
+
+# Cloudflare is a CDN service that is used to serve the domain names and
+# caching for my websites and services. Since Cloudflare acts as our proxy, we
+# must allow access over the Internet from Cloudflare's IP ranges.
+
+# We also want to validate our HTTPS certificates from Caddy. We'll use Caddy's
+# DNS validation plugin to connect to Cloudflare and automatically create
+# validation DNS records for our generated certificates.
+
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+let
+
+  cfg = config.nmasur.presets.services.cloudflare;
+
+  cloudflareIpRanges = [
+
+    # Cloudflare IPv4: https://www.cloudflare.com/ips-v4
+    "173.245.48.0/20"
+    "103.21.244.0/22"
+    "103.22.200.0/22"
+    "103.31.4.0/22"
+    "141.101.64.0/18"
+    "108.162.192.0/18"
+    "190.93.240.0/20"
+    "188.114.96.0/20"
+    "197.234.240.0/22"
+    "198.41.128.0/17"
+    "162.158.0.0/15"
+    "104.16.0.0/13"
+    "104.24.0.0/14"
+    "172.64.0.0/13"
+    "131.0.72.0/22"
+
+    # Cloudflare IPv6: https://www.cloudflare.com/ips-v6
+    "2400:cb00::/32"
+    "2606:4700::/32"
+    "2803:f800::/32"
+    "2405:b500::/32"
+    "2405:8100::/32"
+    "2a06:98c0::/29"
+    "2c0f:f248::/32"
+  ];
+in
+{
+
+  options.nmasur.presets.services.cloudflare = {
+    enable = lib.mkEnableOption "Cloudflare proxy configuration";
+
+    noProxyDomains = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      description = "Domains to use for dyndns without CDN proxying.";
+      default = [ ];
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+
+    # Forces Caddy to error if coming from a non-Cloudflare IP
+    config.nmasur.presets.services.caddy.cidrAllowlist = cloudflareIpRanges;
+
+    # Tell Caddy to use Cloudflare DNS for ACME challenge validation
+    services.caddy.package = pkgs.caddy.withPlugins {
+      plugins = [ "github.com/caddy-dns/cloudflare@master" ];
+      hash = "sha256-C7JOGd4sXsRZL561oP84V2/pTg7szEgF4OFOw35yS1s=";
+    };
+    caddy.tlsPolicies = [
+      {
+        issuers = [
+          {
+            module = "acme";
+            email = "acme@${config.mail.server}";
+            account_key = "{env.ACME_ACCOUNT_KEY}";
+            challenges = {
+              dns = {
+                provider = {
+                  name = "cloudflare";
+                  api_token = "{env.CLOUDFLARE_API_TOKEN}";
+                };
+                resolvers = [ "1.1.1.1" ];
+              };
+            };
+          }
+        ];
+      }
+    ];
+    # Allow Caddy to read Cloudflare API key for DNS validation
+    systemd.services.caddy.serviceConfig.EnvironmentFile = [
+      config.secrets.cloudflare-api.dest
+      config.secrets.letsencrypt-key.dest
+    ];
+
+    # Private key is used for LetsEncrypt
+    secrets.letsencrypt-key = {
+      source = ../../../private/letsencrypt-key.age;
+      dest = "${config.secretsDirectory}/letsencrypt-key";
+      owner = "caddy";
+      group = "caddy";
+    };
+
+    # API key must have access to modify Cloudflare DNS records
+    secrets.cloudflare-api = {
+      source = ../../../private/cloudflare-api.age;
+      dest = "${config.secretsDirectory}/cloudflare-api";
+      owner = "caddy";
+      group = "caddy";
+    };
+
+    # Wait for secret to exist
+    systemd.services.caddy = {
+      after = [
+        "cloudflare-api-secret.service"
+        "letsencrypt-key-secret.service"
+      ];
+      requires = [
+        "cloudflare-api-secret.service"
+        "letsencrypt-key-secret.service"
+      ];
+    };
+
+    # Allows Nextcloud to trust Cloudflare IPs
+    services.nextcloud.settings.trusted_proxies = cloudflareIpRanges;
+
+    # Allows Transmission to trust Cloudflare IPs
+    services.transmission.settings.rpc-whitelist = builtins.concatStringsSep "," (
+      [ "127.0.0.1" ] ++ cloudflareIpRanges
+    );
+
+    # Using dyn-dns instead of ddclient because I can't find a way to choose
+    # between proxied and non-proxied records for Cloudflare using just
+    # ddclient.
+    services.cloudflare-dyndns =
+      lib.mkIf ((builtins.length config.services.cloudflare-dyndns.domains) > 0)
+        {
+          enable = true;
+          proxied = true;
+          deleteMissing = true;
+          apiTokenFile = config.secrets.cloudflare-api.dest;
+        };
+
+    # Wait for secret to exist to start
+    systemd.services.cloudflare-dyndns = lib.mkIf config.services.cloudflare-dyndns.enable {
+      after = [ "cloudflare-api-secret.service" ];
+      requires = [ "cloudflare-api-secret.service" ];
+    };
+
+  };
+}

platforms/nixos/modules/nmasur/profiles/gaming.nix

@@ -25,5 +25,6 @@ in
     programs.gamemode.enable = true;
 
     environment.systemPackages = with pkgs; [ moonlight-qt ];
+
   };
 }

platforms/nixos/modules/services/cloudflare-dyndns-noproxy.nix

@@ -18,7 +18,7 @@ in
     # Run a second copy of dyn-dns for non-proxied domains
     # Adapted from: https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/networking/cloudflare-dyndns.nix
     systemd.services.cloudflare-dyndns-noproxy =
-      lib.mkIf ((builtins.length config.cloudflare.noProxyDomains) > 0)
+      lib.mkIf ((builtins.length config.nmasur.presets.services.cloudflare.noProxyDomains) > 0)
         {
           description = "CloudFlare Dynamic DNS Client (no proxy)";
           after = [
@@ -30,7 +30,7 @@ in
           startAt = "*:0/5";
 
           environment = {
-            CLOUDFLARE_DOMAINS = toString config.cloudflare.noProxyDomains;
+            CLOUDFLARE_DOMAINS = toString config.nmasur.presets.services.cloudflare.noProxyDomains;
           };
 
           serviceConfig = {

platforms/nixos/modules/services/honeypot.nix

@@ -0,0 +1,85 @@
+# This is a tool for blocking IPs of anyone who attempts to scan all of my
+# ports.
+
+# Currently has some issues that don't make this viable.
+
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+# Taken from:
+# https://dataswamp.org/~solene/2022-09-29-iblock-implemented-in-nixos.html
+
+# You will need to flush all rules when removing:
+# https://serverfault.com/questions/200635/best-way-to-clear-all-iptables-rules
+
+let
+
+  cfg = config.services.honeypot;
+
+  portsToBlock = [
+    25545
+    25565
+    25570
+  ];
+  portsString = builtins.concatStringsSep "," (builtins.map builtins.toString portsToBlock);
+
+  # Block IPs for 20 days
+  expire = 60 * 60 * 24 * 20;
+
+  rules = table: [
+    "INPUT -i eth0 -p tcp -m multiport --dports ${portsString} -m state --state NEW -m recent --set"
+    "INPUT -i eth0 -p tcp -m multiport --dports ${portsString} -m state --state NEW -m recent --update --seconds 10 --hitcount 1 -j SET --add-set ${table} src"
+    "INPUT -i eth0 -p tcp -m set --match-set ${table} src -j nixos-fw-refuse"
+    "INPUT -i eth0 -p udp -m set --match-set ${table} src -j nixos-fw-refuse"
+  ];
+
+  create-rules = lib.concatStringsSep "\n" (
+    builtins.map (rule: "iptables -C " + rule + " || iptables -A " + rule) (rules "blocked")
+    ++ builtins.map (rule: "ip6tables -C " + rule + " || ip6tables -A " + rule) (rules "blocked6")
+  );
+
+  delete-rules = lib.concatStringsSep "\n" (
+    builtins.map (rule: "iptables -C " + rule + " && iptables -D " + rule) (rules "blocked")
+    ++ builtins.map (rule: "ip6tables -C " + rule + " && ip6tables -D " + rule) (rules "blocked6")
+  );
+in
+{
+
+  options.services.honeypot.enable = lib.mkEnableOption "Honeypot fail2ban system.";
+
+  config = lib.mkIf cfg.enable {
+    networking.firewall = {
+
+      extraPackages = [ pkgs.ipset ];
+      # allowedTCPPorts = portsToBlock;
+
+      # Restore ban list when starting up
+      extraCommands = ''
+        if test -f /var/lib/ipset.conf
+        then
+            ipset restore -! < /var/lib/ipset.conf
+        else
+            ipset -exist create blocked hash:ip ${if expire > 0 then "timeout ${toString expire}" else ""}
+            ipset -exist create blocked6 hash:ip family inet6 ${
+              if expire > 0 then "timeout ${toString expire}" else ""
+            }
+        fi
+        ${create-rules}
+      '';
+
+      # Save list when shutting down
+      extraStopCommands = ''
+        ipset -exist create blocked hash:ip ${if expire > 0 then "timeout ${toString expire}" else ""}
+        ipset -exist create blocked6 hash:ip family inet6 ${
+          if expire > 0 then "timeout ${toString expire}" else ""
+        }
+        ipset save > /var/lib/ipset.conf
+        ${delete-rules}
+      '';
+    };
+  };
+}