mirror of
https://github.com/nmasur/dotfiles
synced 2024-11-09 23:22:57 +00:00
lockdown caddy and ssh connections
This commit is contained in:
parent
01e71e5810
commit
e2af159c26
@ -1,8 +1,4 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
|
||||
in {
|
||||
{ config, pkgs, lib, ... }: {
|
||||
|
||||
options = {
|
||||
caddyRoutes = lib.mkOption {
|
||||
@ -20,6 +16,45 @@ in {
|
||||
apps.http.servers.main = {
|
||||
listen = [ ":443" ];
|
||||
routes = config.caddyRoutes;
|
||||
errors.routes = [{
|
||||
match = [{
|
||||
not = [{
|
||||
remote_ip.ranges = [
|
||||
|
||||
# Cloudflare IPv4: https://www.cloudflare.com/ips-v4
|
||||
"173.245.48.0/20"
|
||||
"103.21.244.0/22"
|
||||
"103.22.200.0/22"
|
||||
"103.31.4.0/22"
|
||||
"141.101.64.0/18"
|
||||
"108.162.192.0/18"
|
||||
"190.93.240.0/20"
|
||||
"188.114.96.0/20"
|
||||
"197.234.240.0/22"
|
||||
"198.41.128.0/17"
|
||||
"162.158.0.0/15"
|
||||
"104.16.0.0/13"
|
||||
"104.24.0.0/14"
|
||||
"172.64.0.0/13"
|
||||
"131.0.72.0/22"
|
||||
|
||||
# Cloudflare IPv6: https://www.cloudflare.com/ips-v6
|
||||
"2400:cb00::/32"
|
||||
"2606:4700::/32"
|
||||
"2803:f800::/32"
|
||||
"2405:b500::/32"
|
||||
"2405:8100::/32"
|
||||
"2a06:98c0::/29"
|
||||
"2c0f:f248::/32"
|
||||
|
||||
];
|
||||
}];
|
||||
}];
|
||||
handle = [{
|
||||
handler = "static_response";
|
||||
abort = true;
|
||||
}];
|
||||
}];
|
||||
};
|
||||
});
|
||||
|
||||
|
@ -25,6 +25,9 @@
|
||||
|
||||
users.users.${config.user}.openssh.authorizedKeys.keys =
|
||||
[ config.publicKey ];
|
||||
|
||||
# Implement a simple fail2ban service for sshd
|
||||
services.sshguard.enable = true;
|
||||
};
|
||||
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user