Merge branch 'master' of ssh://bosco:/srv/git/.flake

author: Devin Finlinson <devin.finlinson@pm.me> 2025-11-22 11:40:38 -0700
committer: Devin Finlinson <devin.finlinson@pm.me> 2025-11-22 11:40:38 -0700
commit: 383cc2770f6b3f954aeee69397e225b36de1a450 (patch)
tree: e0012c7c673924b4ce034f1941c8c94566d4181d
parent: e692206b275c6ad2e617b0bc410486715aa9fd45 (diff)
parent: 173df9aa7c7969acfea4c35a7d314bc61361b630 (diff)
2 files changed, 114 insertions, 27 deletions
diff --git a/flake.lock b/flake.lock
index 832e04d..7c9f8e4 100644
--- a/flake.lock
+++ b/flake.lock
@@ -310,7 +310,7 @@
     "hugo-congo": {
       "flake": false,
       "locked": {
-        "narHash": "sha256-1SjemV/8NUSjQB3SdmuM6ALnDsgGp8aQhrNUvJ0rxWU=",
+        "narHash": "sha256-2dyCZ+/p3lYMWr1MIQJSFxH2k/NsCNHxDWKAW0F7o7k=",
         "type": "file",
         "url": "https://github.com/jpanther/congo"
       },
@@ -395,11 +395,11 @@
         "xdph": "xdph"
       },
       "locked": {
-        "lastModified": 1763071594,
-        "narHash": "sha256-s5FF0rQE6UIBAUfqk5ZqGedU3bhW0OvXfmz5lzJGurY=",
+        "lastModified": 1763819976,
+        "narHash": "sha256-W/893N/ifviI1PP1BVIwhYhstN8s5UOsi5lvaYupXhA=",
         "owner": "hyprwm",
         "repo": "Hyprland",
-        "rev": "43527d363472b52f17dd9f9f4f87ec25cbf8a399",
+        "rev": "e584a8bade2617899d69ae6f83011d0c1d2a9df7",
         "type": "github"
       },
       "original": {
@@ -495,11 +495,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1758927902,
-        "narHash": "sha256-LZgMds7M94+vuMql2bERQ6LiFFdhgsEFezE4Vn+Ys3A=",
+        "lastModified": 1763254292,
+        "narHash": "sha256-JNgz3Fz2KMzkT7aR72wsgu/xNeJB//LSmdilh8Z/Zao=",
         "owner": "hyprwm",
         "repo": "hyprlang",
-        "rev": "4dafa28d4f79877d67a7d1a654cddccf8ebf15da",
+        "rev": "deea98d5b61d066bdc7a68163edd2c4bd28d3a6b",
         "type": "github"
       },
       "original": {
@@ -572,11 +572,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1762387740,
-        "narHash": "sha256-gQ9zJ+pUI4o+Gh4Z6jhJll7jjCSwi8ZqJIhCE2oqwhQ=",
+        "lastModified": 1763323331,
+        "narHash": "sha256-+Z0OfCo1MS8/aIutSAW5aJR9zTae1wz9kcJYMgpwN6M=",
         "owner": "hyprwm",
         "repo": "hyprutils",
-        "rev": "926689ddb9c0a8787e58c02c765a62e32d63d1f7",
+        "rev": "0c6411851cc779d551edc89b83966696201611aa",
         "type": "github"
       },
       "original": {
@@ -670,11 +670,11 @@
         "spectrum": "spectrum"
       },
       "locked": {
-        "lastModified": 1762200934,
-        "narHash": "sha256-Bv4ZKRPsIc6W7qF1I2fevxFETqRNuG3XOsiRIfJ7YlQ=",
+        "lastModified": 1763429621,
+        "narHash": "sha256-xJD3vjEdDP+/XKLgPAkaX44s2xuiAeOhCdjs2jrALY4=",
         "owner": "astro",
         "repo": "microvm.nix",
-        "rev": "1d05a3c26dbb9d4b1cd644e10713a70d8740cb6a",
+        "rev": "c4e4a264da114c618251b17eb4c959f86376e530",
         "type": "github"
       },
       "original": {
@@ -828,11 +828,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1762844143,
-        "narHash": "sha256-SlybxLZ1/e4T2lb1czEtWVzDCVSTvk9WLwGhmxFmBxI=",
+        "lastModified": 1763678758,
+        "narHash": "sha256-+hBiJ+kG5IoffUOdlANKFflTT5nO3FrrR2CA3178Y5s=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "9da7f1cf7f8a6e2a7cb3001b048546c92a8258b4",
+        "rev": "117cc7f94e8072499b0a7aa4c52084fa4e11cc9b",
         "type": "github"
       },
       "original": {
@@ -860,11 +860,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1762756533,
-        "narHash": "sha256-HiRDeUOD1VLklHeOmaKDzf+8Hb7vSWPVFcWwaTrpm+U=",
+        "lastModified": 1763622513,
+        "narHash": "sha256-1jQnuyu82FpiSxowrF/iFK6Toh9BYprfDqfs4BB+19M=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "c2448301fb856e351aab33e64c33a3fc8bcf637d",
+        "rev": "c58bc7f5459328e4afac201c5c4feb7c818d604b",
         "type": "github"
       },
       "original": {
@@ -900,11 +900,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1762441963,
-        "narHash": "sha256-j+rNQ119ffYUkYt2YYS6rnd6Jh/crMZmbqpkGLXaEt0=",
+        "lastModified": 1763319842,
+        "narHash": "sha256-YG19IyrTdnVn0l3DvcUYm85u3PaqBt6tI6VvolcuHnA=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "8e7576e79b88c16d7ee3bbd112c8d90070832885",
+        "rev": "7275fa67fbbb75891c16d9dee7d88e58aea2d761",
         "type": "github"
       },
       "original": {
@@ -944,11 +944,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1763069729,
-        "narHash": "sha256-A91a+K0Q9wfdPLwL06e/kbHeAWSzPYy2EGdTDsyfb+s=",
+        "lastModified": 1763607916,
+        "narHash": "sha256-VefBA1JWRXM929mBAFohFUtQJLUnEwZ2vmYUNkFnSjE=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "a2bcd1c25c1d29e22756ccae094032ab4ada2268",
+        "rev": "877bb495a6f8faf0d89fc10bd142c4b7ed2bcc0b",
         "type": "github"
       },
       "original": {
diff --git a/machines/biski/default.nix b/machines/biski/default.nix
index 1255911..b05d289 100644
--- a/machines/biski/default.nix
+++ b/machines/biski/default.nix
@@ -34,6 +34,71 @@
   };
   security.pam.sshAgentAuth.enable = true;
 
+  services.rsyslogd = {
+    enable = true;
+    extraConfig = ''
+      $ModLoad imudp
+      $UDPServerRun 10514
+      *.* /var/log/rsyslog-remote.log
+    '';
+  };
+
+  environment.etc = {
+    "fail2ban/action.d/routeros.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+      [Init]
+
+      # SSH credentials to use to log into the router
+      user = FCWadmin
+      port = 2200
+      pubkey = /etc/fail2ban/.id_routeros
+
+      # SSH connection command
+      ssh = /run/current-system/sw/bin/ssh
+      cmd = <ssh> -i <pubkey> -p <port> <user>@64.77.244.138
+
+      # What to do on ban.
+      action = tarpit
+      chain = fail2ban
+
+      # Command-shortening aliases
+      iff = /ip/firewall/filter
+      what = src-address="<ip>" chain="<chain>"
+      addwhat = <what> dst-port="<port>" proto="tcp" action="<action>"
+
+      [Definition]
+
+      actionban = <cmd> '<iff> add <addwhat> place-before=0'
+      actionunban = <cmd> '<iff> remove numbers=[find <what>]'
+    '');
+  
+    # Defines a filter for Mikrotik login failures by reading rsyslog
+    "fail2ban/filter.d/routeros-rsyslog-sshd.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+      [Definition]
+      _router     = (<F-ROUTER>[a-zA-Z0-9.-]+</F-ROUTER>)
+      failregex   = ^\s?<_router> .* login failure for user .* from <HOST> via ssh
+    '');
+  };
+  services.fail2ban = {
+    enable = true;
+    ignoreIP = [
+      # Whitelist some subnets
+      "205.192.218.182/29"
+      "10.0.0.0/8"
+    ];
+    jails = {
+      routeros-rsyslog-sshd.settings = {
+        enabled = true;
+        filter = "routeros-rsyslog-sshd";
+        action = "routeros";
+        logpath = "/var/log/rsyslog-remote.log";
+        backend = "polling";
+        ignoreself = true;
+        maxretry = 3;
+        findtime = 600;
+      };
+    };
+  };
+
   # Set your time zone.
   time.timeZone = "US/Mountain";
 
@@ -65,8 +130,30 @@
   };
 
   # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
+  networking.firewall.allowedTCPPorts = [ 25565 ];
+  networking.firewall.allowedUDPPorts = [ 10514 ];
+  networking.nftables = {
+    enable = true;
+    ruleset = ''
+      table ip nat {
+        chain PREROUTING {
+          type nat hook prerouting priority dstnat; policy accept;
+          iifname "eno1" tcp dport 25565 dnat to 100.64.0.2:25565
+        }
+      }
+    '';
+  };
+  networking.nat = {
+    enable = true;
+    internalInterfaces = [ "eno1" ];
+    externalInterface = "tailscale0";
+    forwardPorts = [{
+      sourcePort = 25565;
+      proto = "tcp";
+      destination = "100.64.0.2:25565";
+    }];
+  };
+  
   # Or disable the firewall altogether.
   # networking.firewall.enable = false;
author	Devin Finlinson <devin.finlinson@pm.me>	2025-11-22 11:40:38 -0700
committer	Devin Finlinson <devin.finlinson@pm.me>	2025-11-22 11:40:38 -0700
commit	383cc2770f6b3f954aeee69397e225b36de1a450 (patch)
tree	e0012c7c673924b4ce034f1941c8c94566d4181d
parent	e692206b275c6ad2e617b0bc410486715aa9fd45 (diff)
parent	173df9aa7c7969acfea4c35a7d314bc61361b630 (diff)