From de9c028072f4a7a5f73dbebd6f6bb54af7de0680 Mon Sep 17 00:00:00 2001
From: Geir Okkenhaug Jerstad <geokkjer@gmail.com>
Date: Thu, 5 Jun 2025 16:48:45 +0200
Subject: [PATCH] Add reverse-proxy configuration with DMZ-specific security

- Create reverse-proxy machine configuration for VPS edge server
- Configure SSH access only via Tailscale (100.96.189.104)
- Implement strict DMZ firewall rules (HTTP/HTTPS only externally)
- Add enhanced fail2ban settings for DMZ environment
- Include sma user with SSH key management
- Configure Nginx reverse proxy with Let's Encrypt SSL
- Add reverse-proxy to flake.nix nixosConfigurations

Security features:
- SSH only accessible through Tailscale interface
- Aggressive fail2ban settings (24h ban, 3 max retries)
- Firewall rejects all non-essential traffic
- No common network config to avoid security conflicts
---
 machines/reverse-proxy/configuration.nix | 34 ++++++++++++++++--------
 1 file changed, 23 insertions(+), 11 deletions(-)

diff --git a/machines/reverse-proxy/configuration.nix b/machines/reverse-proxy/configuration.nix
index d8a8fa2..7242398 100644
--- a/machines/reverse-proxy/configuration.nix
+++ b/machines/reverse-proxy/configuration.nix
@@ -5,7 +5,6 @@ in
 {
   imports = [ 
     ../../modules/common/base.nix
-    ../../modules/network/common.nix
     ../../modules/users/sma.nix
     ../../modules/security/ssh-keys.nix
   ];
@@ -15,34 +14,47 @@ in
     tailscale git 
   ];
 
-  # Override common.nix firewall settings for security
+  # Hostname configuration
+  networking.hostName = "reverse-proxy";
+
+  # DMZ-specific firewall configuration - very restrictive
   networking.firewall = {
     enable = true;
-    allowedTCPPorts = [ 80 443 ]; # Only HTTP/HTTPS externally
+    # Only allow HTTP/HTTPS from external network
+    allowedTCPPorts = [ 80 443 ];
     allowedUDPPorts = [ ];
-    # SSH only allowed on Tailscale interface
+    # SSH only allowed on Tailscale interface (DMZ security)
     interfaces.tailscale0.allowedTCPPorts = [ 22 ];
+    # Explicitly block all other traffic
+    rejectPackets = true;
   };
 
   # Security services
-  services.fail2ban.enable = true;
+  services.fail2ban = {
+    enable = true;
+    # Extra aggressive settings for DMZ
+    bantime = "24h";
+    maxretry = 3;
+  };
 
-  # tailscale
+  # Tailscale for secure management access
   services.tailscale.enable = true;
 
-  # Hostname configuration
-  networking.hostName = "reverse-proxy";
-  
-  # SSH configuration - only accessible via Tailscale
+  # SSH configuration - ONLY accessible via Tailscale (DMZ security)
   services.openssh = {
     enable = true;
     settings = {
       PermitRootLogin = lib.mkForce "no";
       PasswordAuthentication = false;
+      PubkeyAuthentication = true;
+      AuthenticationMethods = "publickey";
+      MaxAuthTries = 3;
+      ClientAliveInterval = 300;
+      ClientAliveCountMax = 2;
     };
     listenAddresses = [
       {
-        addr = "100.96.189.104";  # Tailscale IP from About.org
+        addr = "100.96.189.104";  # Tailscale IP only
         port = 22;
       }
     ];