From e2af159c26347afd0926a4343fdc8f2101ff42ff Mon Sep 17 00:00:00 2001 From: Noah Masur <7386960+nmasur@users.noreply.github.com> Date: Thu, 13 Oct 2022 23:40:30 +0000 Subject: [PATCH] lockdown caddy and ssh connections --- modules/services/caddy.nix | 45 +++++++++++++++++++++++++++++++++----- modules/services/sshd.nix | 3 +++ 2 files changed, 43 insertions(+), 5 deletions(-) diff --git a/modules/services/caddy.nix b/modules/services/caddy.nix index d737f34..02c8f00 100644 --- a/modules/services/caddy.nix +++ b/modules/services/caddy.nix @@ -1,8 +1,4 @@ -{ config, pkgs, lib, ... }: - -let - -in { +{ config, pkgs, lib, ... }: { options = { caddyRoutes = lib.mkOption { @@ -20,6 +16,45 @@ in { apps.http.servers.main = { listen = [ ":443" ]; routes = config.caddyRoutes; + errors.routes = [{ + match = [{ + not = [{ + remote_ip.ranges = [ + + # Cloudflare IPv4: https://www.cloudflare.com/ips-v4 + "173.245.48.0/20" + "103.21.244.0/22" + "103.22.200.0/22" + "103.31.4.0/22" + "141.101.64.0/18" + "108.162.192.0/18" + "190.93.240.0/20" + "188.114.96.0/20" + "197.234.240.0/22" + "198.41.128.0/17" + "162.158.0.0/15" + "104.16.0.0/13" + "104.24.0.0/14" + "172.64.0.0/13" + "131.0.72.0/22" + + # Cloudflare IPv6: https://www.cloudflare.com/ips-v6 + "2400:cb00::/32" + "2606:4700::/32" + "2803:f800::/32" + "2405:b500::/32" + "2405:8100::/32" + "2a06:98c0::/29" + "2c0f:f248::/32" + + ]; + }]; + }]; + handle = [{ + handler = "static_response"; + abort = true; + }]; + }]; }; }); diff --git a/modules/services/sshd.nix b/modules/services/sshd.nix index 0161aba..094d624 100644 --- a/modules/services/sshd.nix +++ b/modules/services/sshd.nix @@ -25,6 +25,9 @@ users.users.${config.user}.openssh.authorizedKeys.keys = [ config.publicKey ]; + + # Implement a simple fail2ban service for sshd + services.sshguard.enable = true; }; }