From e66da99f1102f84a07792d9f7076ad5b8850c450 Mon Sep 17 00:00:00 2001
From: FAForever admins <admin@faforever.com>
Date: Sat, 12 Oct 2024 19:45:53 +0000
Subject: [PATCH] Improvements

---
 common/configuration.nix         | 47 +++++++++++++++++++++-----------
 flake.lock                       | 25 ++++++++++++++---
 flake.nix                        | 15 +++++++++-
 machines/prod3/configuration.nix |  5 ++--
 machines/test1/configuration.nix |  2 --
 old-configuration.nix            | 11 --------
 6 files changed, 68 insertions(+), 37 deletions(-)
 delete mode 100644 old-configuration.nix

diff --git a/common/configuration.nix b/common/configuration.nix
index 1026d59..3cbdf2f 100644
--- a/common/configuration.nix
+++ b/common/configuration.nix
@@ -37,7 +37,8 @@
      "zfs.zfs_arc_max=25769803776"
     ];
 
-    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; # Use latest kernel
+    #kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; # Use latest kernel
+    kernelPackages = pkgs.linuxPackages_6_10;
 
     initrd = {
       # Virtual rescue system boots over fake SATA controllers
@@ -70,20 +71,35 @@
       logRefusedConnections = false;
       rejectPackets = false;
       extraCommands = '' 
-        # icmp limitations
-        iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP;
-        iptables -A INPUT -p icmp -m limit --limit 10/s --limit-burst 50 -j ACCEPT;
-        iptables -A INPUT -p icmp -j DROP;
-
-        # Block all fragmented packets
-        iptables -A INPUT -f -j DROP
-        iptables -A FORWARD -f -j DROP
-
-        # Block packets with overlapping fragments
-        iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
-        iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
-        iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-        iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
+	# ICMP limitations
+
+	# Block uncommon ICMP types
+	iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP
+	iptables -A INPUT -p icmp --icmp-type timestamp-reply -j DROP
+	iptables -A INPUT -p icmp --icmp-type redirect -j DROP
+	iptables -A INPUT -p icmp --icmp-type source-quench -j DROP
+
+	# Allow echo requests and replies with rate limiting
+	iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 5 -j ACCEPT
+	iptables -A INPUT -p icmp --icmp-type echo-reply -m limit --limit 1/s --limit-burst 5 -j ACCEPT
+
+	# Allow necessary ICMP types with rate limiting
+	iptables -A INPUT -p icmp --icmp-type destination-unreachable -m limit --limit 1/s --limit-burst 5 -j ACCEPT
+	iptables -A INPUT -p icmp --icmp-type time-exceeded -m limit --limit 1/s --limit-burst 5 -j ACCEPT
+	iptables -A INPUT -p icmp --icmp-type parameter-problem -m limit --limit 1/s --limit-burst 5 -j ACCEPT
+
+	# Log and drop fragmented ICMP packets only
+	iptables -A INPUT -p icmp -f -j LOG --log-prefix "Fragmented ICMP Packet: "
+	iptables -A INPUT -p icmp -f -j DROP
+
+	# Drop all ICMP packets that didn't match previous rules
+	iptables -A INPUT -p icmp -j DROP
+
+	# Other rules (e.g., blocking TCP flags)
+	iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
+	iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
+	iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
+	iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
       '';
       allowedTCPPorts = [
         80 
@@ -109,7 +125,6 @@
 
   
   services.resolved.dnssec = "false";
-
   
   systemd.network.wait-online.anyInterface = true;
   
diff --git a/flake.lock b/flake.lock
index 3f49e1a..1aec7cf 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,16 +2,16 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1727672256,
-        "narHash": "sha256-9/79hjQc9+xyH+QxeMcRsA6hDyw6Z9Eo1/oxjvwirLk=",
+        "lastModified": 1728692301,
+        "narHash": "sha256-QuWjkLVCuWWTyIUOSc4NRoZMNiLaWKV4jM4Vkhz0gfo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "1719f27dd95fd4206afb9cec9f415b539978827e",
+        "rev": "ee4d0513c7e6c4dedc8e9865d525cc86b1c3af8a",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-24.05",
+        "ref": "nixos-24.05-small",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -35,9 +35,26 @@
     "root": {
       "inputs": {
         "nixpkgs": "nixpkgs",
+        "secrets": "secrets",
         "srvos": "srvos"
       }
     },
+    "secrets": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1727988148,
+        "narHash": "sha256-hNrHK4nWrMiarAytrN5F7rZorRXQnXASAXrB9pbb8hw=",
+        "ref": "refs/heads/master",
+        "rev": "801767cbaa17f651c848a186ffa93006d2ee011a",
+        "revCount": 12,
+        "type": "git",
+        "url": "file:secrets"
+      },
+      "original": {
+        "type": "git",
+        "url": "file:secrets"
+      }
+    },
     "srvos": {
       "inputs": {
         "nixpkgs": "nixpkgs_2"
diff --git a/flake.nix b/flake.nix
index 2de71d7..d7b3292 100644
--- a/flake.nix
+++ b/flake.nix
@@ -2,7 +2,7 @@
   description = "FAForever Nixos Configs";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05-small";
     #nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
     srvos.url = "github:nix-community/srvos";
     secrets = {
@@ -17,7 +17,20 @@
       "fafprod3" = nixpkgs.lib.nixosSystem rec {
         system = "x86_64-linux";
         modules = [
+          ./common/configuration.nix
           ./machines/prod3/configuration.nix
+          srvos.nixosModules.server
+          ( import (secrets + /networking-prod2.nix))
+          ( import (secrets + /users-prod.nix))
+        ];
+      };
+      "test1" = nixpkgs.lib.nixosSystem rec {
+        system = "x86_64-linux";
+        modules = [
+          ./common/configuration.nix
+          ./machines/test1/configuration.nix
+          srvos.nixosModules.server
+          ( import (secrets + /users-test.nix))
         ];
       };
     };
diff --git a/machines/prod3/configuration.nix b/machines/prod3/configuration.nix
index 34ad7fc..33ccd20 100644
--- a/machines/prod3/configuration.nix
+++ b/machines/prod3/configuration.nix
@@ -3,9 +3,6 @@
 {
   imports =
     [
-      ../../common/configuration.nix
-      ../../secrets/networking-prod2.nix
-      ../../secrets/users-prod.nix
       ./hardware-configuration.nix
     ];
 
@@ -114,4 +111,6 @@
     "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIDgYjxtGirvoIc63P4TUHDmnXaoWNorPL4m0xJelHayveJc0DbstnwcIwCULTTDOeYTgzexYbCjlpEaABz4lMM9sNdyOQaUj7jn20nPzXAr/nyaTq7wP0klIiOrCvyaEl9eA5IhcwltACPdnDMm+Mr2+v4qyTFJzwVVtyoV42KqWOUzcTfx8/8qlgEbTpih3XX3UeuUtjPQCm8tMDnJiQO4E1UYw6n+fJ9Be4p4tBVbMF7JDn9g3d2DIgfgGWug/n4RMHUNvzLe+X/v8EQZtgNWf1MU7g6xdhWAUDvL75BOJstSDUAgrzPjAqLBpDV+MKAvCctDYKUnpDvGeCXfBn"
   ];
 
+  system.stateVersion = "24.05";
+
 }
diff --git a/machines/test1/configuration.nix b/machines/test1/configuration.nix
index de2f435..0de8536 100644
--- a/machines/test1/configuration.nix
+++ b/machines/test1/configuration.nix
@@ -3,8 +3,6 @@
 {
   imports =
     [
-      ../../common/configuration.nix
-      ../../secrets/users-test.nix
       ./hardware-configuration.nix
     ];
 
diff --git a/old-configuration.nix b/old-configuration.nix
deleted file mode 100644
index 6e066e5..0000000
--- a/old-configuration.nix
+++ /dev/null
@@ -1,11 +0,0 @@
-# Import the NixOS options
-{ config, lib, pkgs, ... }:
-
-let
-  hostConfigPath = "/etc/nixos/machines/" + (lib.removeSuffix "\n" (builtins.readFile "/etc/nixos/host")) + "/configuration.nix";
-  importedConfig = import hostConfigPath;
-in
-{
-  imports =
-    [ importedConfig ];
-}