geir/home-lab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add reverse-proxy configuration with DMZ-specific security
Some checks are pending
🏠 Home Lab CI/CD Pipeline / 🔍 Validate Configuration (push) Waiting to run
Details
🏠 Home Lab CI/CD Pipeline / 🔨 Build Configurations (push) Blocked by required conditions
Details
🏠 Home Lab CI/CD Pipeline / 🔒 Security Audit (push) Blocked by required conditions
Details
🏠 Home Lab CI/CD Pipeline / 📚 Documentation & Modules (push) Blocked by required conditions
Details
🏠 Home Lab CI/CD Pipeline / 🔄 Update Dependencies (push) Waiting to run
Details
🏠 Home Lab CI/CD Pipeline / 🚀 Deploy Configuration (push) Blocked by required conditions
Details
🏠 Home Lab CI/CD Pipeline / 📢 Notify Results (push) Blocked by required conditions
Details

Browse source 
- Create reverse-proxy machine configuration for VPS edge server
- Configure SSH access only via Tailscale (100.96.189.104)
- Implement strict DMZ firewall rules (HTTP/HTTPS only externally)
- Add enhanced fail2ban settings for DMZ environment
- Include sma user with SSH key management
- Configure Nginx reverse proxy with Let's Encrypt SSL
- Add reverse-proxy to flake.nix nixosConfigurations

Security features:
- SSH only accessible through Tailscale interface
- Aggressive fail2ban settings (24h ban, 3 max retries)
- Firewall rejects all non-essential traffic
- No common network config to avoid security conflicts
This commit is contained in:
Geir Okkenhaug Jerstad 2025-06-05 16:48:45 +02:00
parent 304e868e09
commit de9c028072
1 changed files with 23 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

34
machines/reverse-proxy/configuration.nix
View file

@ -5,7 +5,6 @@ in
{ {
imports = [ imports = [
../../modules/common/base.nix ../../modules/common/base.nix
../../modules/network/common.nix
../../modules/users/sma.nix ../../modules/users/sma.nix
../../modules/security/ssh-keys.nix ../../modules/security/ssh-keys.nix
]; ];
@ -15,34 +14,47 @@ in
tailscale git tailscale git
]; ];
# Override common.nix firewall settings for security # Hostname configuration
networking.hostName = "reverse-proxy";
# DMZ-specific firewall configuration - very restrictive
networking.firewall = { networking.firewall = {
enable = true; enable = true;
allowedTCPPorts = [ 80 443 ]; # Only HTTP/HTTPS externally # Only allow HTTP/HTTPS from external network
allowedTCPPorts = [ 80 443 ];
allowedUDPPorts = [ ]; allowedUDPPorts = [ ];
# SSH only allowed on Tailscale interface # SSH only allowed on Tailscale interface (DMZ security)
interfaces.tailscale0.allowedTCPPorts = [ 22 ]; interfaces.tailscale0.allowedTCPPorts = [ 22 ];
# Explicitly block all other traffic
rejectPackets = true;
}; };
# Security services # Security services
services.fail2ban.enable = true; services.fail2ban = {
enable = true;
# Extra aggressive settings for DMZ
bantime = "24h";
maxretry = 3;
};
# tailscale # Tailscale for secure management access
services.tailscale.enable = true; services.tailscale.enable = true;
# Hostname configuration # SSH configuration - ONLY accessible via Tailscale (DMZ security)
networking.hostName = "reverse-proxy";
# SSH configuration - only accessible via Tailscale
services.openssh = { services.openssh = {
enable = true; enable = true;
settings = { settings = {
PermitRootLogin = lib.mkForce "no"; PermitRootLogin = lib.mkForce "no";
PasswordAuthentication = false; PasswordAuthentication = false;
PubkeyAuthentication = true;
AuthenticationMethods = "publickey";
MaxAuthTries = 3;
ClientAliveInterval = 300;
ClientAliveCountMax = 2;
}; };
listenAddresses = [ listenAddresses = [
{ {
addr = "100.96.189.104"; # Tailscale IP from About.org addr = "100.96.189.104"; # Tailscale IP only
port = 22; port = 22;
} }
]; ];