static networking configuration

added a handfull of tasks for vscode
added a fail2ban configuration for ssh
2025-12-16 14:32:45 +00:00 · 2025-11-15 12:43:04 +01:00 · 2025-11-05 18:33:40 +01:00 · 2025-11-05 17:50:20 +01:00 · 2025-11-05 17:38:46 +01:00
5 changed files with 222 additions and 43 deletions
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@@ -0,0 +1,78 @@
+{
+    "version": "2.0.0",
+    "tasks": [
+        {
+            "label": "Nix Flake Check",
+            "type": "shell",
+            "command": "nix",
+            "args": [
+                "flake",
+                "check"
+            ],
+            "group": {
+                "kind": "test",
+                "isDefault": true
+            },
+            "presentation": {
+                "echo": true,
+                "reveal": "always",
+                "focus": false,
+                "panel": "shared"
+            },
+            "problemMatcher": []
+        },
+        {
+            "label": "Build VM",
+            "type": "shell",
+            "command": "nixos-rebuild",
+            "args": [
+                "build-vm",
+                "--flake",
+                ".#matrix"
+            ],
+            "group": {
+                "kind": "build",
+                "isDefault": true
+            },
+            "presentation": {
+                "echo": true,
+                "reveal": "always",
+                "focus": false,
+                "panel": "shared"
+            },
+            "problemMatcher": []
+        },
+        {
+            "label": "Run VM",
+            "type": "shell",
+            "command": "./result/bin/run-matrix-vm",
+            "group": "test",
+            "dependsOn": "Build VM",
+            "presentation": {
+                "echo": true,
+                "reveal": "always",
+                "focus": false,
+                "panel": "shared"
+            },
+            "problemMatcher": []
+        },
+        {
+            "label": "Clean VM",
+            "type": "shell",
+            "command": "rm",
+            "args": [
+                "-f",
+                "./matrix.qcow2"
+            ],
+            "group": "test",
+            "dependsOn": "Build VM",
+            "presentation": {
+                "echo": true,
+                "reveal": "always",
+                "focus": false,
+                "panel": "shared"
+            },
+            "problemMatcher": []
+        }
+    ]
+}
--- a/nix/configuration.nix
+++ b/nix/configuration.nix
@@ -2,10 +2,12 @@

 {
  imports = [
-    ./users/users.nix
-    ./modules/security.nix
    ./vps/hetzner/hardware-configuration.nix
+    ./modules/networking/networkingA.nix
+    ./modules/security.nix
+    ./users/users.nix
    ./modules/zsh.nix
+    ./modules/vm.nix
   ];

  # nix settings
@@ -33,8 +35,6 @@
  boot.initrd.kernelModules = [ "virtio_gpu" ];
  boot.kernelParams = [ "console=tty" ];  

-  networking.hostName = "matrix";
-
  # time zone
  time.timeZone = "Europe/Zurich";

@@ -60,43 +60,6 @@
  environment.systemPackages = with pkgs; [
  ];

-  virtualisation.vmVariant = {
-    # following configuration is added only when building VM with build-vm
-    virtualisation = {
-      memorySize = 4000;
-      cores = 2;
-      graphics = false;
-      diskSize = 5000; # 5GB, needed to prevent docker error running out of space
-
-      # Networking configuration
-      forwardPorts = [
-        { from = "host"; host.port = 2222; guest.port = 22; }
-      ];
-    };
-
-    # this is related to luks remote unlock via ssh
-    # Disable initrd secrets for VM builds to avoid secret error 
-    # Error is not present in real depolyments
-    boot.initrd.secrets = lib.mkForce {};
-
-    # Add VM-specific users
-    users.users.smith = {
-      isNormalUser = true;
-      description = "VM Test User";
-      extraGroups = [ "wheel" "networkmanager" ];
-      shell = pkgs.zsh;
-      initialPassword = "smith";
-      packages = with pkgs; [  ];
-    };
-
-    # VM-specific packages
-    environment.systemPackages = with pkgs; [
-    ];
-
-    # in order to build VM on x86_64 host
-    nixpkgs.hostPlatform = lib.mkForce "x86_64-linux";
-  };
-
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
--- a/nix/modules/networking/networkingA.nix
+++ b/nix/modules/networking/networkingA.nix
@@ -0,0 +1,73 @@
+{ config, pkgs, inputs, ... }:
+# this file provides a static networking configuration
+# https://docs.hetzner.com/cloud/servers/static-configuration/
+let
+  # IPv4 configuration
+  ipv4Address = "188.245.32.95";  # Hetzner assigned static IP
+  ipv4Gateway = "172.31.1.1";     # hetzner gateway
+  ipv4Netmask = 32;               # CIDR notation
+  
+  # IPv6 configuration
+  ipv6Address = "2a01:4f8:1c1b:9b71::1";
+  ipv6Gateway = "fe80::1";    # link-local gateway
+  ipv6PrefixLength = 64;
+  
+  # DNS servers
+  # hetzner nameservers
+  nameservers = [ "185.12.64.1" "185.12.64.2" "2a01:4ff:ff00::add:1" "2a01:4ff:ff00::add:2" ];
+
+  # Network interface name
+  interface = "enp1s0";
+
+  hostname = "matrix";
+in
+{
+  networking.hostName = hostname;
+  
+  # Disable DHCP globally
+  networking.useDHCP = false;
+  
+  # Configure network interface
+  networking.interfaces.${interface} = {
+    ipv4.addresses = [{
+      address = ipv4Address;
+      prefixLength = ipv4Netmask;
+    }];
+
+    # Add point-to-point route to gateway
+    # specific requirement of Hetzner
+    ipv4.routes = [{
+      address = ipv4Gateway;
+      prefixLength = 32;
+    }];
+    
+    ipv6.addresses = [{
+      address = ipv6Address;
+      prefixLength = ipv6PrefixLength;
+    }];
+  };
+  
+  # Set default gateway
+  networking.defaultGateway = {
+    address = ipv4Gateway;
+    interface = interface;
+  };
+  
+  networking.defaultGateway6 = {
+    address = ipv6Gateway;
+    interface = interface;
+  };
+  
+  # DNS configuration
+  networking.nameservers = nameservers;
+  
+  # Enable IPv6
+  networking.enableIPv6 = true;
+  
+  # Optional: Disable IPv6 privacy extensions for static config
+  networking.tempAddresses = "disabled";
+
+  # this is needed for remote LUKS unlock via ssh
+  # here we do not actually need a static ip configuration, hetzner will handle this anyway
+  boot.kernelParams = [ "ip=dhcp" ];
+}
--- a/nix/modules/security.nix
+++ b/nix/modules/security.nix
@@ -8,6 +8,7 @@
      PermitRootLogin = "no";                    # Disable root login
      PasswordAuthentication = false;            # Force SSH key auth only
      PubkeyAuthentication = true;               # Enable SSH keys
+      LogLevel = "VERBOSE";                      # More detailed logging, for fail2ban
    };
    ports = [ 22 ];
    # using the same key as for initrd
@@ -16,8 +17,29 @@
    ];
  };

+  services.fail2ban = {
+    enable = true;
+    maxretry = 5; # Ban IP after 5 failures
+    ignoreIP = [
+
+    ];
+    bantime = "24h"; # Ban IPs for one day on the first ban
+    bantime-increment = {
+      enable = true; # Enable increment of bantime after each violation
+      multipliers = "1 2 3 4 5 6 7"; # everytime one day more
+      maxtime = "168h"; # Do not ban for more than 1 week
+      overalljails = true; # Calculate the bantime based on all the violations
+    };
+    
+    # fail2ban ships with a default sshd jail, we override it here, to be explicit
+    jails.sshd.settings = {
+      port = 22; # explicit
+      maxretry = 5;
+    };
+  };
+
  # remote unlock for luks via ssh
-  boot.kernelParams = [ "ip=dhcp" ];
+  # https://nixos.wiki/wiki/Remote_disk_unlocking
  boot.initrd = {
    availableKernelModules = [ "virtio-pci" ];
    network = {
@@ -27,6 +49,7 @@
        port = 22;
        authorizedKeys = [ 
          (builtins.readFile ../users/keys/neo.pub) 
+          (builtins.readFile ../users/keys/morpheus.pub) 
        ];
        hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
        shell = "/bin/cryptsetup-askpass";
@@ -34,7 +57,8 @@
    };
  };

-  # Generate SSH host key for initrd
+  # Generate SSH host key for initrd (also LUKS remote unlock)
+  # we make sure it's the same ssh host key for both initrd and normal system
  system.activationScripts.initrd-ssh-key = {
    text = ''
      mkdir -p /etc/secrets/initrd
--- a/nix/modules/vm.nix
+++ b/nix/modules/vm.nix
@@ -0,0 +1,41 @@
+{ config, pkgs, inputs, lib, ... }:
+# this configuration will only be loaded inside of VMs build for testing purposes
+# none of this will be applied to real deployments
+{
+  virtualisation.vmVariant = {
+    # following configuration is added only when building VM with build-vm
+    virtualisation = {
+      memorySize = 4000;
+      cores = 2;
+      graphics = false;
+      diskSize = 5000; # 5GB, needed to prevent docker error running out of space
+
+      # Networking configuration
+      forwardPorts = [
+        { from = "host"; host.port = 2222; guest.port = 22; }
+      ];
+    };
+
+    # this is related to luks remote unlock via ssh
+    # Disable initrd secrets for VM builds to avoid secret error 
+    # Error is not present in real depolyments
+    boot.initrd.secrets = lib.mkForce {};
+
+    # Add VM-specific users
+    users.users.smith = {
+      isNormalUser = true;
+      description = "VM Test User";
+      extraGroups = [ "wheel" "networkmanager" ];
+      shell = pkgs.zsh;
+      initialPassword = "smith";
+      packages = with pkgs; [  ];
+    };
+
+    # VM-specific packages
+    environment.systemPackages = with pkgs; [
+    ];
+
+    # in order to build VM on x86_64 host
+    nixpkgs.hostPlatform = lib.mkForce "x86_64-linux";
+  };
+}
Author	SHA1	Message	Date
Henrik	da03d279b5	static networking configuration	2025-11-15 12:43:04 +01:00
Henrik	bc8bcd8a25	added a handfull of tasks for vscode	2025-11-05 18:33:40 +01:00
Henrik	c31f778ac2	added a fail2ban configuration for ssh	2025-11-05 17:50:20 +01:00
Henrik	f224a79f30	giving morpheus LUKS remote unlock capabilities	2025-11-05 17:38:46 +01:00