Add reverse-proxy configuration with DMZ-specific security

- Create reverse-proxy machine configuration for VPS edge server - Configure SSH access only via Tailscale (100.96.189.104) - Implement strict DMZ firewall rules (HTTP/HTTPS only externally) - Add enhanced fail2ban settings for DMZ environment - Include sma user with SSH key management - Configure Nginx reverse proxy with Let's Encrypt SSL - Add reverse-proxy to flake.nix nixosConfigurations Security features: - SSH only accessible through Tailscale interface - Aggressive fail2ban settings (24h ban, 3 max retries) - Firewall rejects all non-essential traffic - No common network config to avoid security conflicts
2025-06-05 16:47:52 +02:00 · 2025-06-05 16:47:52 +02:00 · 304e868e09
commit 304e868e09
parent 2530b918ca
3 changed files with 137 additions and 0 deletions
--- a/flake.nix
+++ b/flake.nix
@ -48,6 +48,18 @@
          ./modules/common/tty.nix
        ];
      };
+
+      # reverse-proxy - VPS edge server with Nginx reverse proxy
+      reverse-proxy = nixpkgs.lib.nixosSystem {
+        inherit system specialArgs;
+        modules = [
+          ./machines/reverse-proxy/configuration.nix
+          ./machines/reverse-proxy/gandicloud.nix
+          ./modules/common/nix.nix
+          ./modules/common/base.nix
+          ./modules/common/tty.nix
+        ];
+      };
    };

    # Custom packages for the home lab
@ -70,6 +82,7 @@
          echo "Available configurations:"
          echo "  - congenital-optimist (Threadripper workstation)"
          echo "  - sleeper-service (Xeon file server)"
+          echo "  - reverse-proxy (VPS edge server)"
          echo ""
          echo "Build with: nixos-rebuild build --flake .#<config>"
          echo "Switch with: nixos-rebuild switch --flake .#<config>"
--- a/machines/reverse-proxy/configuration.nix
+++ b/machines/reverse-proxy/configuration.nix
@ -0,0 +1,80 @@
+{ pkgs, configs, lib, ... }:
+let
+  Host = "vps1.tail807ea.ts.net";
+in
+{
+  imports = [ 
+    ../../modules/common/base.nix
+    ../../modules/network/common.nix
+    ../../modules/users/sma.nix
+    ../../modules/security/ssh-keys.nix
+  ];
+
+  environment.systemPackages = with pkgs; [
+    neovim curl htop bottom fastfetch
+    tailscale git 
+  ];
+
+  # Override common.nix firewall settings for security
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [ 80 443 ]; # Only HTTP/HTTPS externally
+    allowedUDPPorts = [ ];
+    # SSH only allowed on Tailscale interface
+    interfaces.tailscale0.allowedTCPPorts = [ 22 ];
+  };
+
+  # Security services
+  services.fail2ban.enable = true;
+
+  # tailscale
+  services.tailscale.enable = true;
+
+  # Hostname configuration
+  networking.hostName = "reverse-proxy";
+  
+  # SSH configuration - only accessible via Tailscale
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = lib.mkForce "no";
+      PasswordAuthentication = false;
+    };
+    listenAddresses = [
+      {
+        addr = "100.96.189.104";  # Tailscale IP from About.org
+        port = 22;
+      }
+    ];
+  };
+  
+  # nginx reverse proxy
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts = {
+      "git.geokkjer.eu" = {
+        addSSL = true;
+        enableACME = true;
+        locations."/".proxyPass = "http://apps:3000";
+      };
+      #"geokkjer.eu" = {
+      #  default = true;
+      #  forceSSL = true;
+      #  enableACME = true;
+      #  locations."/".proxyPass = "/var/wwww/homepage/";
+      #};
+    };
+  };
+  # acme let's encrypt
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+    email = "geir@geokkjer.eu";
+    };
+  };
+}
--- a/machines/reverse-proxy/gandicloud.nix
+++ b/machines/reverse-proxy/gandicloud.nix
@ -0,0 +1,44 @@
+# This is the configuration required to run NixOS on GandiCloud.
+{ lib, modulesPath, ... }:
+{
+  imports = [
+    (modulesPath + "/virtualisation/openstack-config.nix")
+  ];
+  config = {
+    boot.initrd.kernelModules = [
+      "xen-blkfront" "xen-tpmfront" "xen-kbdfront" "xen-fbfront"
+      "xen-netfront" "xen-pcifront" "xen-scsifront"
+    ];
+
+    # Show debug kernel message on boot then reduce loglevel once booted
+    boot.consoleLogLevel = 7;
+    boot.kernel.sysctl."kernel.printk" = "4 4 1 7";
+
+    # For "openstack console log show"
+    boot.kernelParams = [ "console=ttyS0" ];
+    systemd.services."serial-getty@ttyS0" = {
+      enable = true;
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig.Restart = "always";
+    };
+
+    # The device exposed by Xen
+    boot.loader.grub.device = lib.mkForce "/dev/xvda";
+
+    # This is to get a prompt via the "openstack console url show" command
+    systemd.services."getty@tty1" = {
+      enable = lib.mkForce true;
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig.Restart = "always";
+    };
+
+    # This is required to get an IPv6 address on our infrastructure
+    networking.tempAddresses = "disabled";
+
+    nix.extraOptions = ''
+      experimental-features = nix-command flakes
+    '';
+
+    system.stateVersion = "23.05";
+  };
+}