geir/home-lab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
home-lab/machines/reverse-proxy/configuration.nix
Geir Okkenhaug Jerstad 304e868e09 Add reverse-proxy configuration with DMZ-specific security 
- Create reverse-proxy machine configuration for VPS edge server
- Configure SSH access only via Tailscale (100.96.189.104)
- Implement strict DMZ firewall rules (HTTP/HTTPS only externally)
- Add enhanced fail2ban settings for DMZ environment
- Include sma user with SSH key management
- Configure Nginx reverse proxy with Let's Encrypt SSL
- Add reverse-proxy to flake.nix nixosConfigurations

Security features:
- SSH only accessible through Tailscale interface
- Aggressive fail2ban settings (24h ban, 3 max retries)
- Firewall rejects all non-essential traffic
- No common network config to avoid security conflicts
2025-06-05 16:47:52 +02:00

80 lines
No EOL
1.8 KiB
Nix
Raw Blame History

{ pkgs, configs, lib, ... }:
let
Host = "vps1.tail807ea.ts.net";
in
{
imports = [
../../modules/common/base.nix
../../modules/network/common.nix
../../modules/users/sma.nix
../../modules/security/ssh-keys.nix
];
environment.systemPackages = with pkgs; [
neovim curl htop bottom fastfetch
tailscale git
];
# Override common.nix firewall settings for security
networking.firewall = {
enable = true;
allowedTCPPorts = [ 80 443 ]; # Only HTTP/HTTPS externally
allowedUDPPorts = [ ];
# SSH only allowed on Tailscale interface
interfaces.tailscale0.allowedTCPPorts = [ 22 ];
};
# Security services
services.fail2ban.enable = true;
# tailscale
services.tailscale.enable = true;
# Hostname configuration
networking.hostName = "reverse-proxy";
# SSH configuration - only accessible via Tailscale
services.openssh = {
enable = true;
settings = {
PermitRootLogin = lib.mkForce "no";
PasswordAuthentication = false;
};
listenAddresses = [
{
addr = "100.96.189.104"; # Tailscale IP from About.org
port = 22;
}
];
};
# nginx reverse proxy
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"git.geokkjer.eu" = {
addSSL = true;
enableACME = true;
locations."/".proxyPass = "http://apps:3000";
};
#"geokkjer.eu" = {
# default = true;
# forceSSL = true;
# enableACME = true;
# locations."/".proxyPass = "/var/wwww/homepage/";
#};
};
};
# acme let's encrypt
security.acme = {
acceptTerms = true;
defaults = {
email = "geir@geokkjer.eu";
};
};
}
Reference in a new issue View git blame Copy permalink