geir/home-lab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add reverse-proxy configuration with DMZ-specific security
Some checks are pending
🏠 Home Lab CI/CD Pipeline / 🔍 Validate Configuration (push) Waiting to run
Details
🏠 Home Lab CI/CD Pipeline / 🔨 Build Configurations (push) Blocked by required conditions
Details
🏠 Home Lab CI/CD Pipeline / 🔒 Security Audit (push) Blocked by required conditions
Details
🏠 Home Lab CI/CD Pipeline / 📚 Documentation & Modules (push) Blocked by required conditions
Details
🏠 Home Lab CI/CD Pipeline / 🔄 Update Dependencies (push) Waiting to run
Details
🏠 Home Lab CI/CD Pipeline / 🚀 Deploy Configuration (push) Blocked by required conditions
Details
🏠 Home Lab CI/CD Pipeline / 📢 Notify Results (push) Blocked by required conditions
Details

Browse source 
- Create reverse-proxy machine configuration for VPS edge server
- Configure SSH access only via Tailscale (100.96.189.104)
- Implement strict DMZ firewall rules (HTTP/HTTPS only externally)
- Add enhanced fail2ban settings for DMZ environment
- Include sma user with SSH key management
- Configure Nginx reverse proxy with Let's Encrypt SSL
- Add reverse-proxy to flake.nix nixosConfigurations

Security features:
- SSH only accessible through Tailscale interface
- Aggressive fail2ban settings (24h ban, 3 max retries)
- Firewall rejects all non-essential traffic
- No common network config to avoid security conflicts
This commit is contained in:
Geir Okkenhaug Jerstad 2025-06-05 16:48:45 +02:00
parent 304e868e09
commit de9c028072
1 changed files with 23 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

34
machines/reverse-proxy/configuration.nix
View file

@ -5,7 +5,6 @@ in
{
imports = [
../../modules/common/base.nix
../../modules/network/common.nix
../../modules/users/sma.nix
../../modules/security/ssh-keys.nix
];
@ -15,34 +14,47 @@ in
tailscale git
];
# Override common.nix firewall settings for security
# Hostname configuration
networking.hostName = "reverse-proxy";
# DMZ-specific firewall configuration - very restrictive
networking.firewall = {
enable = true;
allowedTCPPorts = [ 80 443 ]; # Only HTTP/HTTPS externally
# Only allow HTTP/HTTPS from external network
allowedTCPPorts = [ 80 443 ];
allowedUDPPorts = [ ];
# SSH only allowed on Tailscale interface
# SSH only allowed on Tailscale interface (DMZ security)
interfaces.tailscale0.allowedTCPPorts = [ 22 ];
# Explicitly block all other traffic
rejectPackets = true;
};
# Security services
services.fail2ban.enable = true;
services.fail2ban = {
enable = true;
# Extra aggressive settings for DMZ
bantime = "24h";
maxretry = 3;
};
# tailscale
# Tailscale for secure management access
services.tailscale.enable = true;
# Hostname configuration
networking.hostName = "reverse-proxy";
# SSH configuration - only accessible via Tailscale
# SSH configuration - ONLY accessible via Tailscale (DMZ security)
services.openssh = {
enable = true;
settings = {
PermitRootLogin = lib.mkForce "no";
PasswordAuthentication = false;
PubkeyAuthentication = true;
AuthenticationMethods = "publickey";
MaxAuthTries = 3;
ClientAliveInterval = 300;
ClientAliveCountMax = 2;
};
listenAddresses = [
{
addr = "100.96.189.104"; # Tailscale IP from About.org
addr = "100.96.189.104"; # Tailscale IP only
port = 22;
}
];