lock the stuff down

This commit is contained in:
stupidcomputer 2024-01-21 12:40:51 -06:00
parent 1e56e048a0
commit a852816503
2 changed files with 21 additions and 3 deletions

View File

@ -144,6 +144,23 @@ in {
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
services.sslh = {
enable = true;
settings.protocols = [
{
host = "localhost";
name = "ssh";
port = "55555";
service = "ssh";
}
{
host = "localhost";
name = "tls";
port = "442";
}
];
};
# cgit
users = {
groups.git = { };
@ -279,6 +296,7 @@ in {
services.nginx.enable = true;
services.nginx.clientMaxBodySize = "100m";
services.nginx.defaultSSLListenPort = 442;
services.nginx.virtualHosts."beepboop.systems" = {
forceSSL = true;
@ -442,6 +460,6 @@ in {
networking.firewall = {
enable = true;
allowedTCPPorts = [ 5232 55555 22 80 443 ];
allowedTCPPorts = [ 80 443 ];
};
}

View File

@ -210,11 +210,11 @@
"locked": {
"lastModified": 1,
"narHash": "sha256-iemuV19UU8TriqixcvwdRUTa8lIrxc3Krwt4bHpUUWE=",
"path": "/nix/store/gs6dzhqc1qncslkmwckp3q56y6i14w8s-source/builds",
"path": "/nix/store/26f187i54ky8clnmd0rbjvv8h3khgc5d-source/builds",
"type": "path"
},
"original": {
"path": "/nix/store/gs6dzhqc1qncslkmwckp3q56y6i14w8s-source/builds",
"path": "/nix/store/26f187i54ky8clnmd0rbjvv8h3khgc5d-source/builds",
"type": "path"
}
},