Add reverse-proxy configuration with DMZ-specific security

- Create reverse-proxy machine configuration for VPS edge server - Configure SSH access only via Tailscale (100.96.189.104) - Implement strict DMZ firewall rules (HTTP/HTTPS only externally) - Add enhanced fail2ban settings for DMZ environment - Include sma user with SSH key management - Configure Nginx reverse proxy with Let's Encrypt SSL - Add reverse-proxy to flake.nix nixosConfigurations Security features: - SSH only accessible through Tailscale interface - Aggressive fail2ban settings (24h ban, 3 max retries) - Firewall rejects all non-essential traffic - No common network config to avoid security conflicts
2025-06-05 16:47:52 +02:00 · 2025-06-05 16:47:52 +02:00 · 304e868e09
commit 304e868e09
parent 2530b918ca
3 changed files with 137 additions and 0 deletions
--- a/machines/reverse-proxy/configuration.nix
+++ b/machines/reverse-proxy/configuration.nix
@ -0,0 +1,80 @@
+{ pkgs, configs, lib, ... }:
+let
+  Host = "vps1.tail807ea.ts.net";
+in
+{
+  imports = [ 
+    ../../modules/common/base.nix
+    ../../modules/network/common.nix
+    ../../modules/users/sma.nix
+    ../../modules/security/ssh-keys.nix
+  ];
+
+  environment.systemPackages = with pkgs; [
+    neovim curl htop bottom fastfetch
+    tailscale git 
+  ];
+
+  # Override common.nix firewall settings for security
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [ 80 443 ]; # Only HTTP/HTTPS externally
+    allowedUDPPorts = [ ];
+    # SSH only allowed on Tailscale interface
+    interfaces.tailscale0.allowedTCPPorts = [ 22 ];
+  };
+
+  # Security services
+  services.fail2ban.enable = true;
+
+  # tailscale
+  services.tailscale.enable = true;
+
+  # Hostname configuration
+  networking.hostName = "reverse-proxy";
+  
+  # SSH configuration - only accessible via Tailscale
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = lib.mkForce "no";
+      PasswordAuthentication = false;
+    };
+    listenAddresses = [
+      {
+        addr = "100.96.189.104";  # Tailscale IP from About.org
+        port = 22;
+      }
+    ];
+  };
+  
+  # nginx reverse proxy
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts = {
+      "git.geokkjer.eu" = {
+        addSSL = true;
+        enableACME = true;
+        locations."/".proxyPass = "http://apps:3000";
+      };
+      #"geokkjer.eu" = {
+      #  default = true;
+      #  forceSSL = true;
+      #  enableACME = true;
+      #  locations."/".proxyPass = "/var/wwww/homepage/";
+      #};
+    };
+  };
+  # acme let's encrypt
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+    email = "geir@geokkjer.eu";
+    };
+  };
+}