diff --git a/baldur/configuration.nix b/baldur/configuration.nix index a967a5d..1332b11 100644 --- a/baldur/configuration.nix +++ b/baldur/configuration.nix @@ -35,6 +35,7 @@ with lib; { avahi = { enable = true; openFirewall = true; + interfaces = [ "ztmjfdwjkp" ]; nssmdns = true; publish = { enable = true; @@ -47,16 +48,25 @@ with lib; { ssh = "${pkgs.avahi}/etc/avahi/services/ssh.service"; }; }; - fail2ban = { + fail2ban = { enable = true; bantime-increment.enable = true; }; + nginx = { enable = true; - bantime-increment.enable = true; - }; - openssh = { - enable = true; - openFirewall = true; - permitRootLogin = "prohibit-password"; - passwordAuthentication = false; + recommendedProxySettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedTlsSettings = true; + virtualHosts = let ssl = { enableACME = true; forceSSL = true; }; in + { + "unimi.bertof.net" = ssl // { locations."/".extraConfig = "rewrite ^/(.*)$ https://homes.di.unimi.it/berto/$1 redirect ;"; }; + "home-manager.bertof.net" = ssl // { locations."/".proxyPass = "http://loki.local:8123/"; }; + }; }; + openssh = { enable = true; openFirewall = true; }; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "filippo.berto95@gmail.com"; }; users.users.bertof = { @@ -78,7 +88,7 @@ with lib; { networking.firewall = { enable = true; allowPing = true; - allowedTCPPorts = [ 8000 ]; + allowedTCPPorts = [ 8000 80 443 ]; # allowedUDPPorts = [ ]; # extraCommands = ''iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns''; }; diff --git a/flake.nix b/flake.nix index 29c8b71..f3d176f 100644 --- a/flake.nix +++ b/flake.nix @@ -242,7 +242,7 @@ }; baldur = { - hostname = "baldur.local"; + hostname = "baldur.bertof.net"; profiles.system = { user = "root"; path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.baldur;