Add reverse-proxy configuration with DMZ-specific security

- Create reverse-proxy machine configuration for VPS edge server - Configure SSH access only via Tailscale (100.96.189.104) - Implement strict DMZ firewall rules (HTTP/HTTPS only externally) - Add enhanced fail2ban settings for DMZ environment - Include sma user with SSH key management - Configure Nginx reverse proxy with Let's Encrypt SSL - Add reverse-proxy to flake.nix nixosConfigurations Security features: - SSH only accessible through Tailscale interface - Aggressive fail2ban settings (24h ban, 3 max retries) - Firewall rejects all non-essential traffic - No common network config to avoid security conflicts
2025-06-05 16:47:52 +02:00 · 2025-06-05 16:47:52 +02:00 · 304e868e09
commit 304e868e09
parent 2530b918ca
3 changed files with 137 additions and 0 deletions
--- a/machines/reverse-proxy/gandicloud.nix
+++ b/machines/reverse-proxy/gandicloud.nix
@ -0,0 +1,44 @@
+# This is the configuration required to run NixOS on GandiCloud.
+{ lib, modulesPath, ... }:
+{
+  imports = [
+    (modulesPath + "/virtualisation/openstack-config.nix")
+  ];
+  config = {
+    boot.initrd.kernelModules = [
+      "xen-blkfront" "xen-tpmfront" "xen-kbdfront" "xen-fbfront"
+      "xen-netfront" "xen-pcifront" "xen-scsifront"
+    ];
+
+    # Show debug kernel message on boot then reduce loglevel once booted
+    boot.consoleLogLevel = 7;
+    boot.kernel.sysctl."kernel.printk" = "4 4 1 7";
+
+    # For "openstack console log show"
+    boot.kernelParams = [ "console=ttyS0" ];
+    systemd.services."serial-getty@ttyS0" = {
+      enable = true;
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig.Restart = "always";
+    };
+
+    # The device exposed by Xen
+    boot.loader.grub.device = lib.mkForce "/dev/xvda";
+
+    # This is to get a prompt via the "openstack console url show" command
+    systemd.services."getty@tty1" = {
+      enable = lib.mkForce true;
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig.Restart = "always";
+    };
+
+    # This is required to get an IPv6 address on our infrastructure
+    networking.tempAddresses = "disabled";
+
+    nix.extraOptions = ''
+      experimental-features = nix-command flakes
+    '';
+
+    system.stateVersion = "23.05";
+  };
+}