44 lines
1.2 KiB
Nix
44 lines
1.2 KiB
Nix
{ pkgs, lib, inputs, ... }:
|
|
{
|
|
imports = [
|
|
../../common/global
|
|
../../common/minimal-node.nix
|
|
./hardware.nix
|
|
./reverse-proxy.nix
|
|
];
|
|
|
|
boot.initrd.kernelModules = [ "virtio_gpu" ];
|
|
boot.kernelParams = [ "console=tty" ];
|
|
|
|
networking.hostName = "alo-cloud-1";
|
|
services.tailscaleAutoconnect.authkey = "tskey-auth-kbdARC7CNTRL-pNQddmWV9q5C2sRV3WGep5ehjJ1qvcfD";
|
|
|
|
services.tailscale = {
|
|
enable = true;
|
|
useRoutingFeatures = lib.mkForce "server"; # enables IPv4/IPv6 forwarding + loose rp_filter
|
|
extraUpFlags = [ "--advertise-exit-node" ];
|
|
};
|
|
|
|
networking.nat = {
|
|
enable = true;
|
|
externalInterface = "enp1s0";
|
|
internalInterfaces = [ "tailscale0" ];
|
|
};
|
|
|
|
# Security hardening: Enable firewall (override global setting)
|
|
networking.firewall = {
|
|
enable = true;
|
|
allowedTCPPorts = [ 80 443 ]; # Public web traffic only
|
|
allowedUDPPorts = [ 41641 ]; # Tailscale
|
|
trustedInterfaces = [ "tailscale0" ]; # Full access via VPN
|
|
};
|
|
|
|
# Security hardening: Restrict SSH to Tailscale only + key-based auth
|
|
services.openssh = {
|
|
listenAddresses = [
|
|
{ addr = "100.75.147.49"; port = 22; } # Tailscale IP only
|
|
];
|
|
settings.PasswordAuthentication = false; # Keys only
|
|
};
|
|
}
|