enable fail2ban, fix network config

2026-03-27 01:17:42 -04:00 · 2024-02-05 22:38:53 -05:00 · 2024-02-05 22:38:53 -05:00 · 8753230721
commit 8753230721
parent d77634f7f7
5 changed files with 98 additions and 12 deletions
--- a/modules/hosts/nixos/hetznix01/default.nix
+++ b/modules/hosts/nixos/hetznix01/default.nix
@ -27,6 +27,62 @@

  programs.mtr.enable = true;

+  services = {
+    fail2ban.enable = true;
+    tailscale = {
+      enable = true;
+      authKeyFile = config.sops.secrets.tailscale_key.path;
+      extraUpFlags = [
+        "--advertise-exit-node"
+        "--operator"
+        "${username}"
+        "--ssh"
+      ];
+    };
+  };
+
+  sops = {
+    age.keyFile = /home/${username}/.config/sops/age/keys.txt;
+    defaultSopsFile = ./secrets.yaml;
+    secrets = {
+      local_git_config = {
+        owner = "${username}";
+        path = "/home/${username}/.gitconfig-local";
+      };
+      local_private_env = {
+        owner = "${username}";
+        path = "/home/${username}/.private-env";
+      };
+      tailscale_key = {
+        restartUnits = [ "tailscaled-autoconnect.service" ];
+      };
+    };
+  };
+
+  systemd.network = {
+    enable = true;
+    networks."10-wan" = {
+      matchConfig.Name = "enp1s0";
+      address = [
+        "167.235.18.32/32"
+        "2a01:4f8:c2c:2e49::1/64"
+      ];
+      dns = [
+        "185.12.64.1"
+        "185.12.64.2"
+        "2a01:4ff:ff00::add:1"
+        "2a01:4ff:ff00::add:2"
+      ];
+      routes = [
+        { routeConfig = { Destination = "172.31.1.1"; }; }
+        { routeConfig = { Gateway = "172.31.1.1"; GatewayOnLink = true; }; }
+        { routeConfig.Gateway = "fe80::1"; }
+      ];
+      # make the routes on this interface a dependency for network-online.target
+      linkConfig.RequiredForOnline = "routable";
+    };
+  };
+
  users.users.${username} = {
    isNormalUser = true;
    description = "Gene Liverman";