2026-02-12 13:25:40 +10:00
|
|
|
{lib, ...}: {
|
2026-02-12 14:21:45 +10:00
|
|
|
networking.firewall = {
|
|
|
|
|
allowedTCPPorts = [
|
2026-02-16 09:35:29 +10:00
|
|
|
42069 # ssh
|
2026-02-09 01:51:30 +10:00
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
security = {
|
|
|
|
|
# accept Lets Encrypt's security policy
|
|
|
|
|
acme = {
|
|
|
|
|
acceptTerms = true;
|
2026-02-16 09:35:29 +10:00
|
|
|
defaults.email = "eclarkboman@gmail.com";
|
2026-02-09 01:51:30 +10:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
sudo = {
|
|
|
|
|
enable = true;
|
|
|
|
|
wheelNeedsPassword = true;
|
|
|
|
|
};
|
|
|
|
|
# allow SSH keys for passwordless auth
|
|
|
|
|
pam = {
|
2026-02-12 14:21:45 +10:00
|
|
|
sshAgentAuth.enable = true;
|
2026-02-09 01:51:30 +10:00
|
|
|
services.sudo.sshAgentAuth = true; # pam_ssh_agent_auth module
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
services = {
|
|
|
|
|
openssh = {
|
|
|
|
|
enable = true;
|
2026-02-16 09:35:29 +10:00
|
|
|
ports = [42069];
|
2026-02-09 01:51:30 +10:00
|
|
|
settings = {
|
|
|
|
|
PasswordAuthentication = false;
|
|
|
|
|
PermitRootLogin = "no";
|
2026-02-12 14:21:45 +10:00
|
|
|
AllowUsers = ["cry"]; # DO NOT ALLOW ALL
|
2026-02-09 01:51:30 +10:00
|
|
|
UseDns = true;
|
|
|
|
|
X11Forwarding = false;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
2026-02-12 13:25:40 +10:00
|
|
|
|
2026-02-16 09:35:29 +10:00
|
|
|
# simple fail2ban config (not production ready or anything though)
|
|
|
|
|
# refer to: https://nixos.wiki/wiki/Fail2Ban
|
|
|
|
|
services.fail2ban = {
|
|
|
|
|
enable = true;
|
|
|
|
|
|
|
|
|
|
maxretry = 5;
|
|
|
|
|
bantime = "10m"; # 10 minute ban
|
|
|
|
|
bantime-increment = {
|
|
|
|
|
enable = true;
|
|
|
|
|
formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
|
|
|
|
|
# multipliers = "1 2 4 8 16 32 64";
|
|
|
|
|
maxtime = "168h"; # dont ban for more than 1 week
|
|
|
|
|
overalljails = true;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2026-02-12 13:25:40 +10:00
|
|
|
users = {
|
|
|
|
|
users = {
|
|
|
|
|
# primary user
|
|
|
|
|
cry = {
|
|
|
|
|
isNormalUser = true;
|
|
|
|
|
home = "/home/cry";
|
|
|
|
|
extraGroups = ["wheel"];
|
2026-02-13 12:49:52 +10:00
|
|
|
openssh.authorizedKeys.keys = lib.mkDefault [
|
2026-02-12 13:25:40 +10:00
|
|
|
(throw ''
|
|
|
|
|
Hosts in the `server` group must set `users.users.cry.openssh.authorizedKeys.keys = [ ... ]`.
|
|
|
|
|
'')
|
|
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
2026-02-09 01:51:30 +10:00
|
|
|
}
|