commit 17e5e7a07d1203174d92c90d842c07d6b78fe060 · soopy.moe/gensokyo

+1

global/programs/security/default.nix

···

       3
       3
        
           ./crypto.nix

     

       4
       4
        
           ./sudo.nix

     

       5
       5
        
           ./pam.nix

     

       6
       6
       +
           ./firewall.nix

     

       6
       7
        
         ];

     

       7
       8
        
       }

+9 -4

global/programs/security/firewall.nix

···

       1
       1
        
       {...}: {

     

       2
       2
       +
         imports = [

     

       3
       3
       +
           ./ip-bans.nix

     

       4
       4
       +
         ];

     

       5
       5
       +
       

     

       2
       6
        
         networking.firewall = {

     

       3
       7
        
           enable = true;

     

       4
       8
        
       

     

       5
       5
       -
           trustedInterfaces = [

     

       6
       6
       -
             "tailscale0"

     

       7
       7
       -
           ];

     

       9
       9
       +
           # this was never needed because ts has been bypassing the firewall anyways. (by being higher on the list.)

     

       10
       10
       +
           # trustedInterfaces = [

     

       11
       11
       +
           #   "tailscale0"

     

       12
       12
       +
           # ];

     

       8
       13
        
         };

     

       9
       14
        
       

     

       10
       10
       -
         services.openssh.openFirewall = false;

     

       15
       15
       +
         # services.openssh.openFirewall = false;

     

       11
       16
        
       }

+10

global/programs/security/ip-bans.nix

···

       1
       1
       +
       {lib, ...}: let

     

       2
       2
       +
         banned = {

     

       3
       3
       +
           ip = [

     

       4
       4
       +
             "156.229.232.142" # added 2025-04-10: minecraft server scanner with 30m intervals

     

       5
       5
       +
           ];

     

       6
       6
       +
           ip6 = [];

     

       7
       7
       +
         };

     

       8
       8
       +
       in {

     

       9
       9
       +
         networking.firewall.extraCommands = builtins.concatStringsSep "\n" (lib.flatten (lib.mapAttrsToList (family: ips: builtins.map (ip: "${family}tables -w -I INPUT -s ${ip} -j DROP") ips) banned));

     

       10
       10
       +
       }