continuing dev

2025-07-06 12:00:14 +00:00 · 2025-01-29 21:12:48 -05:00
parent c7933f8502
commit 0ebd0bac2c
55 changed files with 362 additions and 347 deletions
--- a/platforms/nixos/modules/services/cloudflare-dyndns-noproxy.nix
+++ b/platforms/nixos/modules/services/cloudflare-dyndns-noproxy.nix
@ -18,7 +18,7 @@ in
    # Run a second copy of dyn-dns for non-proxied domains
    # Adapted from: https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/networking/cloudflare-dyndns.nix
    systemd.services.cloudflare-dyndns-noproxy =
-      lib.mkIf ((builtins.length config.cloudflare.noProxyDomains) > 0)
+      lib.mkIf ((builtins.length config.nmasur.presets.services.cloudflare.noProxyDomains) > 0)
        {
          description = "CloudFlare Dynamic DNS Client (no proxy)";
          after = [
@ -30,7 +30,7 @@ in
          startAt = "*:0/5";

          environment = {
-            CLOUDFLARE_DOMAINS = toString config.cloudflare.noProxyDomains;
+            CLOUDFLARE_DOMAINS = toString config.nmasur.presets.services.cloudflare.noProxyDomains;
          };

          serviceConfig = {
--- a/platforms/nixos/modules/services/honeypot.nix
+++ b/platforms/nixos/modules/services/honeypot.nix
@ -0,0 +1,85 @@
+# This is a tool for blocking IPs of anyone who attempts to scan all of my
+# ports.
+
+# Currently has some issues that don't make this viable.
+
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+# Taken from:
+# https://dataswamp.org/~solene/2022-09-29-iblock-implemented-in-nixos.html
+
+# You will need to flush all rules when removing:
+# https://serverfault.com/questions/200635/best-way-to-clear-all-iptables-rules
+
+let
+
+  cfg = config.services.honeypot;
+
+  portsToBlock = [
+    25545
+    25565
+    25570
+  ];
+  portsString = builtins.concatStringsSep "," (builtins.map builtins.toString portsToBlock);
+
+  # Block IPs for 20 days
+  expire = 60 * 60 * 24 * 20;
+
+  rules = table: [
+    "INPUT -i eth0 -p tcp -m multiport --dports ${portsString} -m state --state NEW -m recent --set"
+    "INPUT -i eth0 -p tcp -m multiport --dports ${portsString} -m state --state NEW -m recent --update --seconds 10 --hitcount 1 -j SET --add-set ${table} src"
+    "INPUT -i eth0 -p tcp -m set --match-set ${table} src -j nixos-fw-refuse"
+    "INPUT -i eth0 -p udp -m set --match-set ${table} src -j nixos-fw-refuse"
+  ];
+
+  create-rules = lib.concatStringsSep "\n" (
+    builtins.map (rule: "iptables -C " + rule + " || iptables -A " + rule) (rules "blocked")
+    ++ builtins.map (rule: "ip6tables -C " + rule + " || ip6tables -A " + rule) (rules "blocked6")
+  );
+
+  delete-rules = lib.concatStringsSep "\n" (
+    builtins.map (rule: "iptables -C " + rule + " && iptables -D " + rule) (rules "blocked")
+    ++ builtins.map (rule: "ip6tables -C " + rule + " && ip6tables -D " + rule) (rules "blocked6")
+  );
+in
+{
+
+  options.services.honeypot.enable = lib.mkEnableOption "Honeypot fail2ban system.";
+
+  config = lib.mkIf cfg.enable {
+    networking.firewall = {
+
+      extraPackages = [ pkgs.ipset ];
+      # allowedTCPPorts = portsToBlock;
+
+      # Restore ban list when starting up
+      extraCommands = ''
+        if test -f /var/lib/ipset.conf
+        then
+            ipset restore -! < /var/lib/ipset.conf
+        else
+            ipset -exist create blocked hash:ip ${if expire > 0 then "timeout ${toString expire}" else ""}
+            ipset -exist create blocked6 hash:ip family inet6 ${
+              if expire > 0 then "timeout ${toString expire}" else ""
+            }
+        fi
+        ${create-rules}
+      '';
+
+      # Save list when shutting down
+      extraStopCommands = ''
+        ipset -exist create blocked hash:ip ${if expire > 0 then "timeout ${toString expire}" else ""}
+        ipset -exist create blocked6 hash:ip family inet6 ${
+          if expire > 0 then "timeout ${toString expire}" else ""
+        }
+        ipset save > /var/lib/ipset.conf
+        ${delete-rules}
+      '';
+    };
+  };
+}
--- a/platforms/nixos/modules/services/secrets.nix
+++ b/platforms/nixos/modules/services/secrets.nix
@ -1,112 +0,0 @@
-# Secrets management method taken from here:
-# https://xeiaso.net/blog/nixos-encrypted-secrets-2021-01-20
-
-# In my case, I pre-encrypt my secrets and commit them to git.
-
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-
-let
-  cfg = config.secrets;
-in
-
-{
-
-  options = {
-
-    secretsDirectory = lib.mkOption {
-      type = lib.types.path;
-      description = "Default path to place secrets.";
-      default = "/var/private";
-    };
-
-    secretsIdentityFile = lib.mkOption {
-      type = lib.types.path;
-      description = "Path containing decryption identity.";
-    };
-
-    secrets = lib.mkOption {
-      type = lib.types.attrsOf (
-        lib.types.submodule {
-          options = {
-            source = lib.mkOption {
-              type = lib.types.path;
-              description = "Path to encrypted secret.";
-            };
-            dest = lib.mkOption {
-              type = lib.types.str;
-              description = "Resulting path for decrypted secret.";
-            };
-            owner = lib.mkOption {
-              default = "root";
-              type = lib.types.str;
-              description = "User to own the secret.";
-            };
-            group = lib.mkOption {
-              default = "root";
-              type = lib.types.str;
-              description = "Group to own the secret.";
-            };
-            permissions = lib.mkOption {
-              default = "0400";
-              type = lib.types.str;
-              description = "Permissions expressed as octal.";
-            };
-            prefix = lib.mkOption {
-              default = "";
-              type = lib.types.str;
-              description = "Prefix for secret value (for environment files).";
-            };
-          };
-        }
-      );
-      description = "Set of secrets to decrypt to disk.";
-      default = { };
-    };
-  };
-
-  config = lib.mkIf (builtins.length cfg.secrets > 0) {
-
-    # Create a default directory to place secrets
-
-    systemd.tmpfiles.rules = [ "d ${config.secretsDirectory} 0755 root wheel" ];
-
-    # Declare oneshot service to decrypt secret using SSH host key
-    # - Requires that the secret is already encrypted for the host
-    # - Encrypt secrets: nix run github:nmasur/dotfiles#encrypt-secret
-
-    systemd.services = lib.mapAttrs' (name: attrs: {
-      name = "${name}-secret";
-      value = {
-
-        description = "Decrypt secret for ${name}";
-        wantedBy = [ "multi-user.target" ];
-        bindsTo = lib.mkIf config.services.wait-for-identity.enable [ "wait-for-identity.service" ];
-        after = lib.mkIf config.services.wait-for-identity.enable [ "wait-for-identity.service" ];
-        serviceConfig.Type = "oneshot";
-        script = ''
-          echo "${attrs.prefix}$(
-            ${pkgs.age}/bin/age --decrypt \
-                --identity ${config.secretsIdentityFile} ${attrs.source}
-          )" > ${attrs.dest}
-
-          chown '${attrs.owner}':'${attrs.group}' '${attrs.dest}'
-          chmod '${attrs.permissions}' '${attrs.dest}'
-        '';
-      };
-    }) config.secrets;
-
-    # Example declaration
-    # config.secrets.my-secret = {
-    #   source = ../../private/my-secret.age;
-    #   dest = "/var/lib/private/my-secret";
-    #   owner = "my-app";
-    #   group = "my-app";
-    #   permissions = "0440";
-    # };
-  };
-}