From 2dc8e8ff5adcc6432e7a2ff2883f2d94a4f4412a Mon Sep 17 00:00:00 2001 From: jdlugosz963 Date: Tue, 19 Dec 2023 23:12:40 +0100 Subject: Add fail2ban service and remove custom unsafe pattern for gitolite service. --- hipis/hipis.scm | 242 +++++++++++++++++++++++++++++--------------------------- 1 file changed, 125 insertions(+), 117 deletions(-) diff --git a/hipis/hipis.scm b/hipis/hipis.scm index 217eadb..3660782 100755 --- a/hipis/hipis.scm +++ b/hipis/hipis.scm @@ -4,12 +4,15 @@ #:use-module (gnu system) #:use-module (gnu packages version-control) #:use-module (gnu services) + #:use-module (gnu services security) #:use-module (gnu services networking) #:use-module (gnu services ssh) #:use-module (gnu services cgit) #:use-module (gnu services version-control) #:use-module (gnu services certbot) - #:use-module (gnu services web)) + #:use-module (gnu services web) + + #:use-module (hipis services web)) (define jdlugosz-ssh-pub (local-file "./jdlugosz.pub")) @@ -28,23 +31,23 @@ (define hipis (operating-system - (locale "en_US.utf8") - (timezone "Europe/Warsaw") - (keyboard-layout (keyboard-layout "pl")) - (host-name "hipis") - - (users (cons* - (user-account - (name "jakub") - (comment "Jakub Dlugosz") - (group "users") - (home-directory "/home/jakub") - (password (crypt "Init14ll-p455w0rd#$" "$6$abc")) - (supplementary-groups '("wheel" ;; sudo - "netdev" ;; network devices - "tty" - "input"))) - %base-user-accounts)) + (locale "en_US.utf8") + (timezone "Europe/Warsaw") + (keyboard-layout (keyboard-layout "pl")) + (host-name "hipis") + + (users (cons* + (user-account + (name "jakub") + (comment "Jakub Dlugosz") + (group "users") + (home-directory "/home/jakub") + (password (crypt "Init14ll-p455w0rd#$" "$6$abc")) + (supplementary-groups '("wheel" ;; sudo + "netdev" ;; network devices + "tty" + "input"))) + %base-user-accounts)) (packages (append (specifications->packages '("emacs-no-x-toolkit" @@ -55,40 +58,45 @@ "curl")) %base-packages)) - (services (cons* - (service openssh-service-type - (openssh-configuration - (permit-root-login 'prohibit-password) - (allow-empty-passwords? #f) - (password-authentication? #f) - (authorized-keys - `(("jakub" ,jdlugosz-ssh-pub))))) - - (service static-networking-service-type - (list (static-networking - (addresses - (list (network-address - (device "eth0") - (value "193.200.51.92/27")))) - (routes - (list (network-route - (destination "default") - (gateway "193.200.51.89")))) - (name-servers '("195.74.91.4 " "193.200.50.51"))) - - %loopback-static-networking)) - - (service gitolite-service-type - (gitolite-configuration - (admin-pubkey jdlugosz-ssh-pub) - (group "fcgiwrap") - (rc-file - (gitolite-rc-file (umask #o0027) - ;; Allow to set any configuration key - (git-config-keys ".*") - ;; Allow any text as a valid configuration value - (unsafe-pattern "^$") - )))) + (services (cons* + (service fail2ban-service-type + (fail2ban-configuration + (extra-jails + (list + (fail2ban-jail-configuration + (name "sshd") + (enabled? #t)))))) + + (service openssh-service-type + (openssh-configuration + (permit-root-login 'prohibit-password) + (allow-empty-passwords? #f) + (password-authentication? #f) + (authorized-keys + `(("jakub" ,jdlugosz-ssh-pub))))) + + (service static-networking-service-type + (list (static-networking + (addresses + (list (network-address + (device "eth0") + (value "193.200.51.92/27")))) + (routes + (list (network-route + (destination "default") + (gateway "193.200.51.89")))) + (name-servers '("195.74.91.4 " "193.200.50.51"))) + + %loopback-static-networking)) + + (service gitolite-service-type + (gitolite-configuration + (admin-pubkey jdlugosz-ssh-pub) + (group "fcgiwrap") + (rc-file + (gitolite-rc-file (umask #o0027) + ;; Allow to set any configuration key + (git-config-keys ".*"))))) ;;; Note to myself: ;;; @@ -101,74 +109,74 @@ ;;; /etc/letsencrypt/live/{domain} directory ;;; now you can uncomment cgit and nginx service type ;;; and after system reconfigure everything should be up and running. - (service certbot-service-type - (certbot-configuration - (email "me@jdlugosz.com") - (certificates - (list - (certificate-configuration - (domains '("jdlugosz.com" "git.jdlugosz.com")) - (deploy-hook %nginx-deploy-hook)))))) - - (service cgit-service-type - (cgit-configuration - (enable-commit-graph? #t) - (enable-html-serving? #t) - (remove-suffix? #t) - (nocache? #t) - (enable-log-filecount? #t) - (enable-log-linecount? #t) - (side-by-side-diffs? #t) - (enable-git-config? #t) - (section-from-path 1) - (repository-directory "/var/lib/gitolite/repositories/public/") - (source-filter (file-append cgit "/lib/cgit/filters/syntax-highlighting.py")) - (about-filter (file-append cgit "/lib/cgit/filters/about-formatting.sh")) - (max-stats "year") - (snapshots '("tar.gz" "zip")) - (readme "CGIT README") - - (nginx - (list - (nginx-server-configuration - (inherit %cgit-configuration-nginx) - (server-name '("git.jdlugosz.com")) - (listen '("443 ssl")) - (ssl-certificate (letsencrypt-certificate "jdlugosz.com")) - (ssl-certificate-key (letsencrypt-key "jdlugosz.com"))))))) - - (service nginx-service-type - (nginx-configuration - (server-blocks - (list - (nginx-server-configuration - (server-name '("jdlugosz.com")) - (listen '("443 ssl")) - (ssl-certificate (letsencrypt-certificate "jdlugosz.com")) - (ssl-certificate-key (letsencrypt-key "jdlugosz.com")) - (root "/srv/http/jdlugosz.com")))))) - - (modify-services %base-services - (delete static-networking-service-type)))) - - (bootloader (bootloader-configuration + (service certbot-service-type + (certbot-configuration + (email "me@jdlugosz.com") + (certificates + (list + (certificate-configuration + (domains '("jdlugosz.com" "git.jdlugosz.com")) + (deploy-hook %nginx-deploy-hook)))))) + + (service cgit-service-type + (cgit-configuration + (enable-commit-graph? #t) + (enable-html-serving? #t) + (remove-suffix? #t) + (nocache? #t) + (enable-log-filecount? #t) + (enable-log-linecount? #t) + (side-by-side-diffs? #t) + (enable-git-config? #t) + (section-from-path 1) + (repository-directory "/var/lib/gitolite/repositories/public/") + (source-filter (file-append cgit "/lib/cgit/filters/syntax-highlighting.py")) + (about-filter (file-append cgit "/lib/cgit/filters/about-formatting.sh")) + (max-stats "year") + (snapshots '("tar.gz" "zip")) + (readme "CGIT README") + + (nginx + (list + (nginx-server-configuration + (inherit %cgit-configuration-nginx) + (server-name '("git.jdlugosz.com")) + (listen '("443 ssl")) + (ssl-certificate (letsencrypt-certificate "jdlugosz.com")) + (ssl-certificate-key (letsencrypt-key "jdlugosz.com"))))))) + + (service nginx-service-type + (nginx-configuration + (server-blocks + (list + (nginx-server-configuration + (server-name '("jdlugosz.com")) + (listen '("443 ssl")) + (ssl-certificate (letsencrypt-certificate "jdlugosz.com")) + (ssl-certificate-key (letsencrypt-key "jdlugosz.com")) + (root "/srv/http/jdlugosz.com")))))) + + (modify-services %base-services + (delete static-networking-service-type)))) + + (bootloader (bootloader-configuration (bootloader grub-bootloader) (targets (list "/dev/sda")) (keyboard-layout keyboard-layout))) - (initrd-modules (append '("virtio_scsi") %base-initrd-modules)) - (swap-devices (list (swap-space - (target (uuid - "1510f063-9936-494a-97ee-488fda7ff0fe"))))) - - ;; The list of file systems that get "mounted". The unique - ;; file system identifiers there ("UUIDs") can be obtained - ;; by running 'blkid' in a terminal. - (file-systems (cons* (file-system - (mount-point "/") - (device (uuid - "21ea8fcd-d031-4f00-9e57-0bd4ed5b0230" - 'ext4)) - (type "ext4")) %base-file-systems)))) + (initrd-modules (append '("virtio_scsi") %base-initrd-modules)) + (swap-devices (list (swap-space + (target (uuid + "1510f063-9936-494a-97ee-488fda7ff0fe"))))) + + ;; The list of file systems that get "mounted". The unique + ;; file system identifiers there ("UUIDs") can be obtained + ;; by running 'blkid' in a terminal. + (file-systems (cons* (file-system + (mount-point "/") + (device (uuid + "21ea8fcd-d031-4f00-9e57-0bd4ed5b0230" + 'ext4)) + (type "ext4")) %base-file-systems)))) hipis -- cgit v1.2.3