iofq/nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nix/nixos/modules/net.nix

105 lines
2.5 KiB
Nix
Raw Blame History

{ host, pkgs, config, lib, ...}:
let cfg = config.system-net; in {
options.system-net = {
enable = lib.mkOption {
type = lib.types.bool;
default = true;
};
dns = lib.mkOption {
type = lib.types.bool;
default = true;
};
openssh = {
enable = lib.mkOption {
type = lib.types.bool;
default = true;
};
ports = lib.mkOption {
type = lib.types.listOf lib.types.int;
default = [22];
};
};
tailscale = lib.mkOption {
type = lib.types.bool;
default = true;
};
nfs = lib.mkOption {
type = lib.types.bool;
default = false;
};
};
config = lib.mkIf cfg.enable {
services = {
tailscale.enable = cfg.tailscale;
resolved = lib.mkIf cfg.dns {
enable = true;
fallbackDns = [
"1.1.1.1"
"9.9.9.9"
];
};
fail2ban = {
enable = true;
maxretry = 5;
bantime = "1h";
ignoreIP = [
"172.16.0.0/12"
"192.168.0.0/16"
"10.0.0.0/8"
"tailc353f.ts.net"
];
bantime-increment = {
enable = true;
multipliers = "1 2 4 8 16 32 64 128 256";
maxtime = "24h";
overalljails = true;
};
};
openssh = {
enable = cfg.openssh.enable;
ports = cfg.openssh.ports;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "prohibit-password";
PermitEmptyPasswords = false;
PermitTunnel = false;
UseDns = false;
KbdInteractiveAuthentication = false;
X11Forwarding = false;
MaxAuthTries = 3;
MaxSessions = 2;
ClientAliveInterval = 300;
ClientAliveCountMax = 0;
TCPKeepAlive = false;
AllowTcpForwarding = false;
AllowAgentForwarding = false;
LogLevel = "VERBOSE";
};
hostKeys = [
{
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
};
systemd = {
mounts = [{
type = "nfs";
mountConfig = {
Options = "noatime";
};
what = "consensus:/rice";
where = "/mnt/rice";
}];
automounts = [{
wantedBy = [ "multi-user.target" ];
automountConfig = {
TimeoutIdleSec = "600";
};
where = "/mnt/rice";
}];
};
};
}
Reference in a new issue View git blame Copy permalink