sys/preset/dmz.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

{ config, lib, pkgs, ... }:
with lib; let
  cfg = config.local.preset.dmz;
in
{
  options.local.preset.dmz = {
    enable = mkEnableOption "dmz preset";

    container = mkOption {
      type = types.bool;
      default = false;
    };
  };

  config = lib.mkIf cfg.enable {
    local = {
      boot = {
        kernel = mkDefault pkgs.linuxPackages_hardened;
        loader = mkDefault "grub";

        efi.enable = mkDefault (!cfg.container);
        firmware.mode = mkDefault "none";
        namespaced.enable = cfg.container;

        stack.luksExt4FscryptImpermanence = {
          enable = mkDefault (!cfg.container);
        };
      };

      jobs.pkiExpiry.enable = mkDefault config.local.mta.enable;

      mta = {
        enable = mkDefault true;

        mode = "primary";
      };

      net = {
        enable = true;
        hostname = "dmz";

        fail2ban.enable = true;
      };

      web.sites.portal.enable = true;
    };

    services = {
      resolved = {
        llmnr = "false";
        fallbackDns = [ ]; # Disable the default systemd-resolved server list
      };
    };

    users = {
      allowNoPasswordLogin = cfg.container;
      mutableUsers = false;
    };
  };
}