diff options
| author | Fuwn <[email protected]> | 2024-09-05 02:14:50 -0700 |
|---|---|---|
| committer | Fuwn <[email protected]> | 2024-09-05 02:14:50 -0700 |
| commit | 21db2e5762854966fb735e68d001e4ab6dbbbcbf (patch) | |
| tree | abb082f3a762b9dcddb66ece6dc5cbfcd314fb9f | |
| parent | Bump: docker (diff) | |
| download | nixos-config-21db2e5762854966fb735e68d001e4ab6dbbbcbf.tar.xz nixos-config-21db2e5762854966fb735e68d001e4ab6dbbbcbf.zip | |
Bump
| -rw-r--r-- | modules/system/access/ssh.nix | 45 | ||||
| -rw-r--r-- | modules/system/networking/fail2ban.nix | 16 | ||||
| -rw-r--r-- | modules/system/networking/firewall.nix | 17 | ||||
| -rw-r--r-- | modules/virtualisation/default.nix | 6 | ||||
| -rw-r--r-- | modules/virtualisation/docker.nix | 4 | ||||
| -rw-r--r-- | modules/virtualisation/libvirtd.nix | 25 | ||||
| -rw-r--r-- | modules/virtualisation/qemu.nix | 45 |
7 files changed, 105 insertions, 53 deletions
diff --git a/modules/system/access/ssh.nix b/modules/system/access/ssh.nix index b1fc187..8a2b30d 100644 --- a/modules/system/access/ssh.nix +++ b/modules/system/access/ssh.nix @@ -1,26 +1,35 @@ +{ lib, config, ... }: { programs.ssh.startAgent = false; - services.openssh = { - enable = true; - ports = [ 22 ]; - openFirewall = false; + services = { + fail2ban.jails.sshd.settings = { + enabled = true; + filter = "sshd[mode=aggressive]"; + port = lib.strings.concatStringsSep "," (map toString config.services.openssh.ports); + }; + + openssh = { + enable = true; + ports = [ 22 ]; + openFirewall = false; - settings = { - KexAlgorithms = [ - "curve25519-sha256" - "diffie-hellman-group16-sha512" - "diffie-hellman-group18-sha512" - "diffie-hellman-group-exchange-sha256" - ]; + settings = { + KexAlgorithms = [ + "curve25519-sha256" + "diffie-hellman-group16-sha512" + "diffie-hellman-group18-sha512" + "diffie-hellman-group-exchange-sha256" + ]; - Macs = [ - ]; + Macs = [ + ]; + }; }; }; } diff --git a/modules/system/networking/fail2ban.nix b/modules/system/networking/fail2ban.nix index fa45565..6311b14 100644 --- a/modules/system/networking/fail2ban.nix +++ b/modules/system/networking/fail2ban.nix @@ -1,18 +1,20 @@ -{ lib, config, ... }: +{ pkgs, lib, ... }: { services.fail2ban = { enable = false; + banaction = "nftables-multiport"; + banaction-allports = lib.mkDefault "nftables-allport"; + + extraPackages = with pkgs; [ + nftables + ipset + ]; ignoreIP = [ "10.0.0.0/8" "172.16.0.0/12" + "100.64.0.0/16" "192.168.0.0/16" ]; - - jails.sshd.settings = { - enabled = true; - filter = "sshd[mode=aggressive]"; - port = lib.strings.concatStringsSep "," (map toString config.services.openssh.ports); - }; }; } diff --git a/modules/system/networking/firewall.nix b/modules/system/networking/firewall.nix index 569089c..39c5b03 100644 --- a/modules/system/networking/firewall.nix +++ b/modules/system/networking/firewall.nix @@ -1,12 +1,15 @@ +{ lib, ... }: +let + inherit (lib) mkForce; +in { networking.firewall = { enable = true; - allowedUDPPorts = [ 53 ]; - allowPing = false; - - allowedTCPPorts = [ - 80 - 443 - ]; + allowedUDPPorts = mkForce [ ]; + allowedTCPPorts = mkForce [ ]; + allowPing = mkForce false; + logReversePathDrops = true; + logRefusedConnections = false; + checkReversePath = mkForce false; }; } diff --git a/modules/virtualisation/default.nix b/modules/virtualisation/default.nix index 765923f..e61cf6f 100644 --- a/modules/virtualisation/default.nix +++ b/modules/virtualisation/default.nix @@ -2,5 +2,11 @@ imports = [ ./docker.nix ./libvirtd.nix + ./qemu.nix ]; + + virtualisation = { + kvmgt.enable = true; + spiceUSBRedirection.enable = true; + }; } diff --git a/modules/virtualisation/docker.nix b/modules/virtualisation/docker.nix index 88d689a..570957a 100644 --- a/modules/virtualisation/docker.nix +++ b/modules/virtualisation/docker.nix @@ -1,4 +1,4 @@ -{ pkgs, lib, ... }: +{ lib, ... }: { virtualisation.docker = { enable = true; @@ -10,7 +10,6 @@ daemon.settings = { default-runtime = "nvidia"; - runtimes.nvidia.path = "${pkgs.nvidia-docker}/bin/nvidia-container-runtime"; experimental = true; }; @@ -25,7 +24,6 @@ daemon.settings = { default-runtime = "nvidia"; - runtimes.nvidia.path = "${pkgs.nvidia-docker}/bin/nvidia-container-runtime"; experimental = true; }; }; diff --git a/modules/virtualisation/libvirtd.nix b/modules/virtualisation/libvirtd.nix index 4618c46..556135b 100644 --- a/modules/virtualisation/libvirtd.nix +++ b/modules/virtualisation/libvirtd.nix @@ -1,26 +1,15 @@ { pkgs, ... }: { boot.extraModprobeConfig = "options kvm_intel nested=1"; - environment.systemPackages = [ pkgs.virt-manager ]; + + environment.systemPackages = with pkgs; [ + virt-manager + virt-viewer + ]; virtualisation.libvirtd = { enable = true; - - qemu = { - package = pkgs.qemu_kvm; - runAsRoot = true; - swtpm.enable = true; - - ovmf = { - enable = true; - - packages = [ - (pkgs.OVMF.override { - secureBoot = true; - tpmSupport = true; - }).fd - ]; - }; - }; + onBoot = "ignore"; + onShutdown = "shutdown"; }; } diff --git a/modules/virtualisation/qemu.nix b/modules/virtualisation/qemu.nix new file mode 100644 index 0000000..d59f482 --- /dev/null +++ b/modules/virtualisation/qemu.nix @@ -0,0 +1,45 @@ +{ pkgs, ... }: +{ + environment.systemPackages = with pkgs; [ + qemu_kvm + qemu + ]; + + hardware.pulseaudio.extraConfig = '' + load-module module-native-protocol-unix auth-group=qemu-libvirtd socket=/tmp/pulse-socket + ''; + + boot.kernelModules = [ "vfio-pci" ]; + + networking.firewall.trustedInterfaces = [ + "virbr0" + "br0" + ]; + + services.udev.extraRules = '' + SUBSYSTEM=="vfio", OWNER="root", GROUP="kvm" + ''; + + virtualisation.libvirtd.qemu = { + package = pkgs.qemu_kvm; + runAsRoot = false; + swtpm.enable = true; + + ovmf = { + enable = true; + + packages = [ + (pkgs.OVMFFull.override { + secureBoot = true; + tpmSupport = true; + }).fd + ]; + }; + + verbatimConfig = '' + namespaces = [] + + dynamic_ownership = 0 + ''; + }; +} |