7a43630bc6
- Update Forgejo service configuration on grey-area - Refine reverse-proxy network configuration - Add README_new.md with enhanced documentation structure - Update instruction.md with latest workflow guidelines - Enhance plan.md with additional deployment considerations - Complete PR template restructuring for professional tone These changes improve service reliability and documentation clarity while maintaining infrastructure consistency across all machines.
100 lines
No EOL
2.4 KiB
Nix
100 lines
No EOL
2.4 KiB
Nix
{ pkgs, config, lib, ... }:
|
|
|
|
{
|
|
imports = [
|
|
./gandicloud.nix
|
|
../../modules/common/base.nix
|
|
../../modules/network/extraHosts.nix
|
|
../../modules/users/sma.nix
|
|
../../modules/security/ssh-keys.nix
|
|
];
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
neovim curl htop bottom fastfetch
|
|
tailscale git
|
|
];
|
|
|
|
# Hostname configuration
|
|
networking.hostName = "reverse-proxy";
|
|
|
|
# DMZ-specific firewall configuration - simplified for testing
|
|
networking.firewall = {
|
|
enable = true;
|
|
# Allow HTTP/HTTPS from external network and Git SSH on port 1337
|
|
# Temporarily allow SSH from everywhere - rely on fail2ban for protection
|
|
allowedTCPPorts = [ 22 80 443 1337 ];
|
|
allowedUDPPorts = [ ];
|
|
# Explicitly block all other traffic
|
|
rejectPackets = true;
|
|
};
|
|
|
|
# Security services
|
|
services.fail2ban = {
|
|
enable = true;
|
|
# Extra aggressive settings for DMZ
|
|
bantime = "24h";
|
|
maxretry = 3;
|
|
};
|
|
|
|
# Tailscale for secure management access
|
|
services.tailscale.enable = true;
|
|
|
|
# SSH configuration - temporarily simplified for testing
|
|
services.openssh = {
|
|
enable = true;
|
|
settings = {
|
|
PermitRootLogin = lib.mkForce "no";
|
|
PasswordAuthentication = false;
|
|
PubkeyAuthentication = true;
|
|
AuthenticationMethods = "publickey";
|
|
MaxAuthTries = 3;
|
|
ClientAliveInterval = 300;
|
|
ClientAliveCountMax = 2;
|
|
};
|
|
};
|
|
|
|
# nginx reverse proxy
|
|
services.nginx = {
|
|
enable = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedProxySettings = true;
|
|
recommendedTlsSettings = true;
|
|
|
|
virtualHosts = {
|
|
"git.geokkjer.eu" = {
|
|
addSSL = true;
|
|
enableACME = true;
|
|
locations."/".proxyPass = "http://grey-area:3000";
|
|
};
|
|
#"geokkjer.eu" = {
|
|
# default = true;
|
|
# forceSSL = true;
|
|
# enableACME = true;
|
|
# locations."/".proxyPass = "/var/wwww/homepage/";
|
|
#};
|
|
};
|
|
|
|
# Stream configuration for SSH forwarding to Git server
|
|
streamConfig = ''
|
|
upstream git_ssh_backend {
|
|
server grey-area:22;
|
|
}
|
|
|
|
server {
|
|
listen 1337;
|
|
proxy_pass git_ssh_backend;
|
|
proxy_timeout 300s;
|
|
proxy_connect_timeout 10s;
|
|
proxy_responses 1;
|
|
}
|
|
'';
|
|
};
|
|
# acme let's encrypt
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults = {
|
|
email = "geir@geokkjer.eu";
|
|
};
|
|
};
|
|
} |