geir/home-lab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
home-lab/machines/reverse-proxy/configuration.nix
Geir Okkenhaug Jerstad 4a57978f45 fixed nfs
2025-06-07 16:33:34 +00:00

107 lines
No EOL
2.7 KiB
Nix
Raw Blame History

{ pkgs, config, lib, ... }:
{
imports = [
./gandicloud.nix
../../modules/common/base.nix
../../modules/network/extraHosts.nix
../../modules/users/sma.nix
../../modules/security/ssh-keys.nix
];
environment.systemPackages = with pkgs; [
neovim curl htop bottom fastfetch
tailscale git
];
# Hostname configuration
networking.hostName = "reverse-proxy";
# DMZ-specific firewall configuration - very restrictive
networking.firewall = {
enable = true;
# Allow HTTP/HTTPS from external network and Git SSH on port 1337
allowedTCPPorts = [ 80 443 1337 ];
allowedUDPPorts = [ ];
# SSH only allowed from Tailscale network (100.64.0.0/10)
extraCommands = ''
# Allow SSH only from Tailscale network
iptables -A nixos-fw -p tcp --dport 22 -s 100.64.0.0/10 -j ACCEPT
iptables -A nixos-fw -p tcp --dport 22 -j DROP
'';
# Explicitly block all other traffic
rejectPackets = true;
};
# Security services
services.fail2ban = {
enable = true;
# Extra aggressive settings for DMZ
bantime = "24h";
maxretry = 3;
};
# Tailscale for secure management access
services.tailscale.enable = true;
# SSH configuration - ONLY accessible via Tailscale (DMZ security)
services.openssh = {
enable = true;
settings = {
PermitRootLogin = lib.mkForce "no";
PasswordAuthentication = false;
PubkeyAuthentication = true;
AuthenticationMethods = "publickey";
MaxAuthTries = 3;
ClientAliveInterval = 300;
ClientAliveCountMax = 2;
};
# Let SSH listen on default port, firewall restricts to Tailscale interface
# This allows Tailscale to assign IP dynamically based on hostname
};
# nginx reverse proxy
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"git.geokkjer.eu" = {
addSSL = true;
enableACME = true;
locations."/".proxyPass = "http://grey-area:3000";
};
#"geokkjer.eu" = {
# default = true;
# forceSSL = true;
# enableACME = true;
# locations."/".proxyPass = "/var/wwww/homepage/";
#};
};
# Stream configuration for SSH forwarding to Git server
streamConfig = ''
upstream git_ssh_backend {
server grey-area:22;
}
server {
listen 1337;
proxy_pass git_ssh_backend;
proxy_timeout 300s;
proxy_connect_timeout 10s;
proxy_responses 1;
}
'';
};
# acme let's encrypt
security.acme = {
acceptTerms = true;
defaults = {
email = "geir@geokkjer.eu";
};
};
}
Reference in a new issue View git blame Copy permalink