main
1{
2 ...
3}:
4{
5 imports = [
6 ../common/services/bind.nix
7
8 ../common/services/prometheus-exporters-bind.nix
9 ];
10
11 networking.firewall.enable = false;
12
13 # Push home public IP to carthage for fail2ban whitelisting
14 # Carthage has a systemd path unit that watches /var/lib/fail2ban/home-ip.txt
15 # and dynamically updates fail2ban ignoreip when it changes.
16 # TODO: disabled — needs SSH key setup on athena (see org TODO)
17 # systemd.services.push-home-ip = {
18 # description = "Push home public IP to carthage for fail2ban whitelist";
19 # serviceConfig = {
20 # Type = "oneshot";
21 # User = "vincent";
22 # Group = "users";
23 # };
24 # path = with pkgs; [
25 # curl
26 # openssh
27 # coreutils
28 # ];
29 # script = ''
30 # set -euo pipefail
31 # IP=$(curl -sf --max-time 10 https://ifconfig.me || curl -sf --max-time 10 https://icanhazip.com || exit 1)
32 # IP=$(echo "$IP" | tr -d '[:space:]')
33 # if [ -z "$IP" ]; then
34 # echo "Failed to get public IP"
35 # exit 1
36 # fi
37 # echo "Home public IP: $IP"
38 # echo "$IP" | ssh -o StrictHostKeyChecking=no -o ConnectTimeout=10 carthage.vpn "cat > /var/lib/fail2ban/home-ip.txt"
39 # echo "Pushed IP to carthage"
40 # '';
41 # };
42 #
43 # systemd.timers.push-home-ip = {
44 # description = "Push home public IP to carthage every 5 minutes";
45 # wantedBy = [ "timers.target" ];
46 # timerConfig = {
47 # OnBootSec = "1min";
48 # OnUnitActiveSec = "5min";
49 # RandomizedDelaySec = "30s";
50 # };
51 # };
52
53 # Age secrets for imapfilter
54 age.secrets."icloud-vdemeester-password" = {
55 file = ../../secrets/mails/icloud-vdemeester.age;
56 mode = "400";
57 owner = "vincent";
58 group = "users";
59 };
60
61}