From f207532a0e34d6316ffc904e88097ee2c87b1505 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 9 Dec 2022 16:01:25 +0100 Subject: hotdog: enable krebs.pages --- krebs/1systems/hotdog/config.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'krebs/1systems') diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix index a34df4bdc..9849937d5 100644 --- a/krebs/1systems/hotdog/config.nix +++ b/krebs/1systems/hotdog/config.nix @@ -22,6 +22,7 @@ krebs.build.host = config.krebs.hosts.hotdog; krebs.github-hosts-sync.enable = true; + krebs.pages.enable = true; boot.isContainer = true; networking.useDHCP = false; -- cgit v1.2.3 From 54300dfe750340d1e61947400ea86f71dad877af Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 9 Dec 2022 17:00:03 +0100 Subject: ponte: enable krebs.pages --- krebs/1systems/ponte/config.nix | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'krebs/1systems') diff --git a/krebs/1systems/ponte/config.nix b/krebs/1systems/ponte/config.nix index 8250ebad9..de01b92ca 100644 --- a/krebs/1systems/ponte/config.nix +++ b/krebs/1systems/ponte/config.nix @@ -8,4 +8,11 @@ ]; krebs.build.host = config.krebs.hosts.ponte; + + krebs.pages.enable = true; + krebs.pages.nginx.addSSL = true; + krebs.pages.nginx.enableACME = true; + + security.acme.acceptTerms = true; + security.acme.certs.${config.krebs.pages.domain}.email = "spam@krebsco.de"; } -- cgit v1.2.3 From 8062bf67e3481214883f0d41a624c0ccfb1cf275 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 9 Dec 2022 17:11:30 +0100 Subject: ponte: open TCP 80 and 443 --- krebs/1systems/ponte/config.nix | 2 ++ 1 file changed, 2 insertions(+) (limited to 'krebs/1systems') diff --git a/krebs/1systems/ponte/config.nix b/krebs/1systems/ponte/config.nix index de01b92ca..ba817692f 100644 --- a/krebs/1systems/ponte/config.nix +++ b/krebs/1systems/ponte/config.nix @@ -7,6 +7,8 @@ ]; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + krebs.build.host = config.krebs.hosts.ponte; krebs.pages.enable = true; -- cgit v1.2.3 From ea30ea8661dbc83f8d2f96f2c511aa04992d3ffe Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 9 Dec 2022 17:42:52 +0100 Subject: ponte firewall: disable logging --- krebs/1systems/ponte/config.nix | 2 ++ 1 file changed, 2 insertions(+) (limited to 'krebs/1systems') diff --git a/krebs/1systems/ponte/config.nix b/krebs/1systems/ponte/config.nix index ba817692f..f896c507b 100644 --- a/krebs/1systems/ponte/config.nix +++ b/krebs/1systems/ponte/config.nix @@ -8,6 +8,8 @@ ]; networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.logRefusedConnections = false; + networking.firewall.logRefusedUnicastsOnly = false; krebs.build.host = config.krebs.hosts.ponte; -- cgit v1.2.3 From b17cd6133b92b9f936ee83f86bb8ff8f54e9565d Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 9 Dec 2022 18:07:20 +0100 Subject: ponte: modify internet-facing SSH port --- krebs/1systems/ponte/config.nix | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'krebs/1systems') diff --git a/krebs/1systems/ponte/config.nix b/krebs/1systems/ponte/config.nix index f896c507b..2f55995cf 100644 --- a/krebs/1systems/ponte/config.nix +++ b/krebs/1systems/ponte/config.nix @@ -11,6 +11,21 @@ networking.firewall.logRefusedConnections = false; networking.firewall.logRefusedUnicastsOnly = false; + # Move Internet-facing SSH port to reduce logspam. + networking.firewall.extraCommands = let + host = config.krebs.build.host; + in /* sh */ '' + iptables -t nat -A OUTPUT -o lo -p tcp --dport 11423 -j REDIRECT --to-ports 22 + iptables -t nat -A PREROUTING -p tcp --dport 11423 -j REDIRECT --to-ports 22 + iptables -t nat -A PREROUTING -d ${host.nets.retiolum.ip4.addr} -p tcp --dport 22 -j ACCEPT + iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 0 + + ip6tables -t nat -A OUTPUT -o lo -p tcp --dport 11423 -j REDIRECT --to-ports 22 + ip6tables -t nat -A PREROUTING -p tcp --dport 11423 -j REDIRECT --to-ports 22 + ip6tables -t nat -A PREROUTING -d ${host.nets.retiolum.ip6.addr} -p tcp --dport 22 -j ACCEPT + ip6tables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 0 + ''; + krebs.build.host = config.krebs.hosts.ponte; krebs.pages.enable = true; -- cgit v1.2.3