diff --git a/configuration.nix b/configuration.nix index 404c171..02c4f3d 100644 --- a/configuration.nix +++ b/configuration.nix @@ -55,7 +55,8 @@ users.users.root = { packages = with pkgs; [ kitty # for terminfo - neofetch # for shits and giggles + fastfetch # for shits and giggles + tmux ]; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICW1+Ml8R9x1LCJaZ8bIZ1qIV4HCuZ6x7DziFW+0Nn5T xengi@kanae_2022-12-09" @@ -69,16 +70,25 @@ }; networking = { + hostname = "matrix"; + domain = "berlin.ccc.de"; + nameservers = [ + "2606:4700:4700::1111#one.one.one.one" + "2620:fe::fe#dns.quad9.net" + ]; + useDHCP = false; useNetworkd = true; - nftables.enable = true; dhcpcd.enable = false; + nftables.enable = true; + tempAddresses = "disabled"; firewall = { enable = true; allowedTCPPorts = [ - 22 # SSH + 22 80 # HTTP/1 443 # HTTP/2 8448 # Matrix federation + 10022 # SSH ]; allowedUDPPorts = [ 443 # HTTP/3 @@ -94,7 +104,7 @@ fstrim.enable = false; # Let Proxmox host handle fstrim openssh = { enable = true; - openFirewall = true; + ports = [ 22 10022 ]; settings = { PermitEmptyPasswords = "no"; PermitRootLogin = "prohibit-password"; @@ -111,6 +121,10 @@ \/_/\/_/\/_/\/__/\/_/ \/__/ \/_/ \/_/\//\/_/ \/____/\/____/\/____/ \/___/ ''; }; + sshguard = { + enable = true; + services = [ "sshd" ]; + }; # Cache DNS lookups to improve performance resolved = { enable = true; diff --git a/services/nginx.nix b/services/nginx.nix index e8c1f7b..8ac5477 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -21,6 +21,7 @@ in recommendedGzipSettings = true; recommendedBrotliSettings = true; virtualHosts."${fqdn}" = { + default = true; quic = true; kTLS = true; forceSSL = true; @@ -49,7 +50,7 @@ in ]; locations = { "/.well-known/acme-challenge".root = config.security.acme.defaults.webroot; - "/".return = "418 \"I'm a Teapot!\""; + "/".return = "418 \"🫖\""; "= /.well-known/matrix/client" = { return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.berlin.ccc.de\"}}'"; extraConfig = ''