From 2e7905d1d3a147c5e55c5a429df24fbd42883511 Mon Sep 17 00:00:00 2001 From: Kopatz <7265381+Kropatz@users.noreply.github.com> Date: Thu, 26 Oct 2023 16:16:30 +0200 Subject: [PATCH] configure ssh and rdp --- test-server/configuration.nix | 13 +++++-------- test-server/flake.nix | 3 +++ test-server/modules/ip-server.nix | 21 ++++++++++++++++++++ test-server/modules/nginx.nix | 32 +++++++++++++++++++++++++++++++ test-server/modules/rdp.nix | 5 +++++ test-server/modules/ssh.nix | 13 +++++++++++++ 6 files changed, 79 insertions(+), 8 deletions(-) create mode 100644 test-server/modules/ip-server.nix create mode 100644 test-server/modules/nginx.nix create mode 100644 test-server/modules/rdp.nix create mode 100644 test-server/modules/ssh.nix diff --git a/test-server/configuration.nix b/test-server/configuration.nix index 6112da8..b812c69 100644 --- a/test-server/configuration.nix +++ b/test-server/configuration.nix @@ -28,6 +28,8 @@ in{ # Enable networking networking.networkmanager.enable = true; + networking.firewall.allowedTCPPorts = [ 22 53 80 443 ]; + networking.firewall.allowedUDPPorts = [ 53 ]; # Set your time zone. time.timeZone = "Europe/Vienna"; @@ -50,9 +52,9 @@ in{ # Enable the X11 windowing system. services.xserver.enable = true; - # Enable the GNOME Desktop Environment. - services.xserver.displayManager.gdm.enable = true; - services.xserver.desktopManager.gnome.enable = true; + # Enable the KDE Desktop Environment. + services.xserver.displayManager.sddm.enable = true; + services.xserver.desktopManager.plasma5.enable = true; # Configure keymap in X11 services.xserver = { @@ -116,11 +118,6 @@ in{ # wget ]; - services.openssh.enable = true; - - networking.firewall.allowedTCPPorts = [ 22 53 80 443 ]; - networking.firewall.allowedUDPPorts = [ 53 ]; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/test-server/flake.nix b/test-server/flake.nix index 9b175f4..6ffdc24 100644 --- a/test-server/flake.nix +++ b/test-server/flake.nix @@ -19,6 +19,9 @@ ./modules/acme.nix ./modules/samba.nix ./modules/backup.nix + ./modules/nginx.nix + ./modules/ssh.nix + ./modules/rdp.nix #./modules/dyndns.nix i think ddclient is deprecated #./modules/home-assistant.nix idk dont like this agenix.nixosModules.default diff --git a/test-server/modules/ip-server.nix b/test-server/modules/ip-server.nix new file mode 100644 index 0000000..1d22228 --- /dev/null +++ b/test-server/modules/ip-server.nix @@ -0,0 +1,21 @@ +{ + networking = { + defaultGateway = "192.168.0.6"; + hostname = "server"; + useDHCP = false; + firewall.enable = true; + nameservers = [ + "127.0.0.1" + "1.1.1.1" + ]; + interfaces = { + #"enp11s0" = { + # name = "eth0"; + #}; + ens33.ipv4.addresses = [{ + address = "192.168.0.6"; + prefixLength = 24; + }]; + }; + }; +} \ No newline at end of file diff --git a/test-server/modules/nginx.nix b/test-server/modules/nginx.nix new file mode 100644 index 0000000..7a5e4c2 --- /dev/null +++ b/test-server/modules/nginx.nix @@ -0,0 +1,32 @@ +{ + services.nginx = { + enable = true; + + # Use recommended settings + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + # Only allow PFS-enabled ciphers with AES256 + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + + # Setup Nextcloud virtual host to listen on ports + virtualHosts = { + "kopatz.ddns.net" = { + serverAliases = [ + "www.kopatz.ddns.net" + "server.home" + "server.local" + "192.168.0.6" + ]; + root = "/var/www"; + #forceSSL = true; + #enableACME = true; + locations."~* \\.(jpg)$".extraConfig= '' + add_header Access-Control-Allow-Origin *; + ''; + }; + }; + }; +} \ No newline at end of file diff --git a/test-server/modules/rdp.nix b/test-server/modules/rdp.nix new file mode 100644 index 0000000..fe75f13 --- /dev/null +++ b/test-server/modules/rdp.nix @@ -0,0 +1,5 @@ +{ + services.xrdp.enable = true; + services.xrdp.defaultWindowManager = "startplasma-x11"; + services.xrdp.openFirewall = true; +} \ No newline at end of file diff --git a/test-server/modules/ssh.nix b/test-server/modules/ssh.nix new file mode 100644 index 0000000..2edc753 --- /dev/null +++ b/test-server/modules/ssh.nix @@ -0,0 +1,13 @@ +{ + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + settings.KbdInteractiveAuthentication = false; + settings.PermitRootLogin = "no"; + }; + + users.users.anon.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDb14svyGa2WprTNrtaI5yRl9KP+wzmLueFsHQww0Y6D2CZ5ZEEwoGFg7PrjWzVa/tXYn5AO1ng5eMCRbZPjtX03of448HTAEV8B0BFV9BuemoIBf14TRZ6lhGfQvD7BlTVZ5jKGUUJBfRdf0CZ8Ed5dk77u0xGV8+p3dYAQXowOmOyYFiDg6baKQcLM5Pz2zVxK1GySehEJ4n7GYNjyv7hJhfWMbaE10rIB0V0TuM8yeYvBvIxfGfMzlm4izOHbuSYR1v6RCuQKn1JOQiYqAkYCsXG/4XssMXpl2KxGvp67OJNotIHzap8zRDr7KH8Sk8jHuBFCnqbxDEqzs72Qtan Kopatz@Kopatz-PC" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCsicFT8H/XHR3c0nN6f3dmChxLlkIYalUEQPqP2qROkX7Na6cMXoFiRvegvVPBCgR+DKagp7G2fttZVZ51yBBZ4G/rzDMgKIFgTDNaDeyGWx2n2zCHM5/wletoqTU6ezOUKOEvOfpsZnpcUqVmYtxlrMpakItrtSO+5mawlTKiDTqtazxLfFuyQFzlXVfVcJacxEupd+Ilmp8Y/e8pp6+jGYZ9asNuQKuGDaCepkhsPEGq/cK9AqaATdx/F81H1metV+kf6A3eDlcyzZy+x41GSofiR6HFgUzYafe5uddMVtL7JIKHHPQVpMMqPxkD3tphozh0fq3C9v8aThcqkvoU9eFD7PcN+8U6guA6Qf7cysGXb3pnvrfSeKGlxxpUAxLcpHlJnP66c7/TVRe2buAYFQqykrmRmJfLwqpY2UHoshpcGTwULslEHCMC5/wgc3BPgVGUB148d7F36bS1jTJlRGqwzf712CKnwW122xTZawgybrr8A5Q/bSRFtpz5wys= kopatz@Kopatz-PC2" + ]; +} \ No newline at end of file