configure ssh and rdp

2023-10-26 16:16:30 +02:00
parent 224f1c3562
commit 2e7905d1d3
6 changed files with 79 additions and 8 deletions
--- a/test-server/configuration.nix
+++ b/test-server/configuration.nix
@@ -28,6 +28,8 @@ in{

  # Enable networking
  networking.networkmanager.enable = true;
+  networking.firewall.allowedTCPPorts = [ 22 53 80 443 ];
+  networking.firewall.allowedUDPPorts = [ 53 ];

  # Set your time zone.
  time.timeZone = "Europe/Vienna";
@@ -50,9 +52,9 @@ in{
  # Enable the X11 windowing system.
  services.xserver.enable = true;

-  # Enable the GNOME Desktop Environment.
-  services.xserver.displayManager.gdm.enable = true;
-  services.xserver.desktopManager.gnome.enable = true;
+  # Enable the KDE Desktop Environment.
+  services.xserver.displayManager.sddm.enable = true;
+  services.xserver.desktopManager.plasma5.enable = true;

  # Configure keymap in X11
  services.xserver = {
@@ -116,11 +118,6 @@ in{
  #  wget
  ];

-  services.openssh.enable = true;
-
-  networking.firewall.allowedTCPPorts = [ 22 53 80 443 ];
-  networking.firewall.allowedUDPPorts = [ 53 ];
-
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
--- a/test-server/flake.nix
+++ b/test-server/flake.nix
@@ -19,6 +19,9 @@
        ./modules/acme.nix
        ./modules/samba.nix
        ./modules/backup.nix
+        ./modules/nginx.nix
+        ./modules/ssh.nix
+        ./modules/rdp.nix
        #./modules/dyndns.nix i think ddclient is deprecated
        #./modules/home-assistant.nix idk dont like this
        agenix.nixosModules.default
--- a/test-server/modules/ip-server.nix
+++ b/test-server/modules/ip-server.nix
@@ -0,0 +1,21 @@
+{
+  networking = {
+    defaultGateway = "192.168.0.6";
+    hostname = "server";
+    useDHCP = false;
+    firewall.enable = true;
+    nameservers = [
+      "127.0.0.1"
+      "1.1.1.1"
+    ];
+    interfaces = {
+      #"enp11s0" = {
+      #  name = "eth0";
+      #};
+      ens33.ipv4.addresses = [{
+        address = "192.168.0.6";
+        prefixLength = 24;
+      }];
+    };
+  };
+}
--- a/test-server/modules/nginx.nix
+++ b/test-server/modules/nginx.nix
@@ -0,0 +1,32 @@
+{
+    services.nginx = {
+        enable = true;
+
+        # Use recommended settings
+        recommendedGzipSettings = true;
+        recommendedOptimisation = true;
+        recommendedProxySettings = true;
+        recommendedTlsSettings = true;
+
+        # Only allow PFS-enabled ciphers with AES256
+            sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+
+        # Setup Nextcloud virtual host to listen on ports
+        virtualHosts = {
+            "kopatz.ddns.net" = {
+                serverAliases = [
+                    "www.kopatz.ddns.net"
+                    "server.home"
+                    "server.local"
+                    "192.168.0.6"
+                ];
+                root = "/var/www";
+                #forceSSL = true;
+                #enableACME = true;
+                locations."~* \\.(jpg)$".extraConfig= ''
+                    add_header Access-Control-Allow-Origin *;
+                '';
+            };
+        };
+    };
+}
--- a/test-server/modules/rdp.nix
+++ b/test-server/modules/rdp.nix
@@ -0,0 +1,5 @@
+{
+    services.xrdp.enable = true;
+    services.xrdp.defaultWindowManager = "startplasma-x11";
+    services.xrdp.openFirewall = true;
+}
--- a/test-server/modules/ssh.nix
+++ b/test-server/modules/ssh.nix
@@ -0,0 +1,13 @@
+{
+    services.openssh = {
+        enable = true;
+        settings.PasswordAuthentication = false;
+        settings.KbdInteractiveAuthentication = false;
+        settings.PermitRootLogin = "no";
+    };
+
+    users.users.anon.openssh.authorizedKeys.keys = [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDb14svyGa2WprTNrtaI5yRl9KP+wzmLueFsHQww0Y6D2CZ5ZEEwoGFg7PrjWzVa/tXYn5AO1ng5eMCRbZPjtX03of448HTAEV8B0BFV9BuemoIBf14TRZ6lhGfQvD7BlTVZ5jKGUUJBfRdf0CZ8Ed5dk77u0xGV8+p3dYAQXowOmOyYFiDg6baKQcLM5Pz2zVxK1GySehEJ4n7GYNjyv7hJhfWMbaE10rIB0V0TuM8yeYvBvIxfGfMzlm4izOHbuSYR1v6RCuQKn1JOQiYqAkYCsXG/4XssMXpl2KxGvp67OJNotIHzap8zRDr7KH8Sk8jHuBFCnqbxDEqzs72Qtan Kopatz@Kopatz-PC"
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCsicFT8H/XHR3c0nN6f3dmChxLlkIYalUEQPqP2qROkX7Na6cMXoFiRvegvVPBCgR+DKagp7G2fttZVZ51yBBZ4G/rzDMgKIFgTDNaDeyGWx2n2zCHM5/wletoqTU6ezOUKOEvOfpsZnpcUqVmYtxlrMpakItrtSO+5mawlTKiDTqtazxLfFuyQFzlXVfVcJacxEupd+Ilmp8Y/e8pp6+jGYZ9asNuQKuGDaCepkhsPEGq/cK9AqaATdx/F81H1metV+kf6A3eDlcyzZy+x41GSofiR6HFgUzYafe5uddMVtL7JIKHHPQVpMMqPxkD3tphozh0fq3C9v8aThcqkvoU9eFD7PcN+8U6guA6Qf7cysGXb3pnvrfSeKGlxxpUAxLcpHlJnP66c7/TVRe2buAYFQqykrmRmJfLwqpY2UHoshpcGTwULslEHCMC5/wgc3BPgVGUB148d7F36bS1jTJlRGqwzf712CKnwW122xTZawgybrr8A5Q/bSRFtpz5wys= kopatz@Kopatz-PC2"
+    ];
+}