lockdown caddy and ssh connections

This commit is contained in:
Noah Masur 2022-10-13 23:40:30 +00:00
parent 01e71e5810
commit e2af159c26
2 changed files with 43 additions and 5 deletions

View File

@ -1,8 +1,4 @@
{ config, pkgs, lib, ... }:
let
in {
{ config, pkgs, lib, ... }: {
options = {
caddyRoutes = lib.mkOption {
@ -20,6 +16,45 @@ in {
apps.http.servers.main = {
listen = [ ":443" ];
routes = config.caddyRoutes;
errors.routes = [{
match = [{
not = [{
remote_ip.ranges = [
# Cloudflare IPv4: https://www.cloudflare.com/ips-v4
"173.245.48.0/20"
"103.21.244.0/22"
"103.22.200.0/22"
"103.31.4.0/22"
"141.101.64.0/18"
"108.162.192.0/18"
"190.93.240.0/20"
"188.114.96.0/20"
"197.234.240.0/22"
"198.41.128.0/17"
"162.158.0.0/15"
"104.16.0.0/13"
"104.24.0.0/14"
"172.64.0.0/13"
"131.0.72.0/22"
# Cloudflare IPv6: https://www.cloudflare.com/ips-v6
"2400:cb00::/32"
"2606:4700::/32"
"2803:f800::/32"
"2405:b500::/32"
"2405:8100::/32"
"2a06:98c0::/29"
"2c0f:f248::/32"
];
}];
}];
handle = [{
handler = "static_response";
abort = true;
}];
}];
};
});

View File

@ -25,6 +25,9 @@
users.users.${config.user}.openssh.authorizedKeys.keys =
[ config.publicKey ];
# Implement a simple fail2ban service for sshd
services.sshguard.enable = true;
};
}