flake/groups/server/default.nix

{lib, ...}: {
  networking.firewall = {
    allowedTCPPorts = [
      42069 # ssh
    ];
  };

  security = {
    # accept Lets Encrypt's security policy
    acme = {
      acceptTerms = true;
      defaults.email = "eclarkboman@gmail.com";
    };

    sudo = {
      enable = true;
      wheelNeedsPassword = true;
    };
    # allow SSH keys for passwordless auth
    pam = {
      sshAgentAuth.enable = true;
      services.sudo.sshAgentAuth = true; # pam_ssh_agent_auth module
    };
  };

  services = {
    openssh = {
      enable = true;
      ports = [42069];
      settings = {
        PasswordAuthentication = false;
        PermitRootLogin = "no";
        AllowUsers = ["cry"]; # DO NOT ALLOW ALL
        UseDns = true;
        X11Forwarding = false;
      };
    };
  };

  # simple fail2ban config (not production ready or anything though)
  # refer to: https://nixos.wiki/wiki/Fail2Ban
  services.fail2ban = {
    enable = true;

    maxretry = 5;
    bantime = "10m"; # 10 minute ban
    bantime-increment = {
      enable = true;
      formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
      # multipliers = "1 2 4 8 16 32 64";
      maxtime = "168h"; # dont ban for more than 1 week
      overalljails = true;
    };
  };

  users = {
    users = {
      # primary user
      cry = {
        isNormalUser = true;
        home = "/home/cry";
        extraGroups = ["wheel"];
        openssh.authorizedKeys.keys = lib.mkDefault [
          (throw ''
            Hosts in the `server` group must set `users.users.cry.openssh.authorizedKeys.keys = [ ... ]`.
          '')
        ];
      };
    };
  };
}
idk a bunch of things got the merge working 2026-02-12 13:25:40 +10:00			`{lib, ...}: {`
fix groups/default.nix should be groups/all/default.nix 2026-02-12 14:21:45 +10:00			`networking.firewall = {`
			`allowedTCPPorts = [`
update hosts (+ update sshPort) 2026-02-16 09:35:29 +10:00			`42069 # ssh`
super massive rewrite 2026-02-09 01:51:30 +10:00			`];`
			`};`

			`security = {`
			`# accept Lets Encrypt's security policy`
			`acme = {`
			`acceptTerms = true;`
update hosts (+ update sshPort) 2026-02-16 09:35:29 +10:00			`defaults.email = "eclarkboman@gmail.com";`
super massive rewrite 2026-02-09 01:51:30 +10:00			`};`

			`sudo = {`
			`enable = true;`
			`wheelNeedsPassword = true;`
			`};`
			`# allow SSH keys for passwordless auth`
			`pam = {`
fix groups/default.nix should be groups/all/default.nix 2026-02-12 14:21:45 +10:00			`sshAgentAuth.enable = true;`
super massive rewrite 2026-02-09 01:51:30 +10:00			`services.sudo.sshAgentAuth = true; # pam_ssh_agent_auth module`
			`};`
			`};`

			`services = {`
			`openssh = {`
			`enable = true;`
update hosts (+ update sshPort) 2026-02-16 09:35:29 +10:00			`ports = [42069];`
super massive rewrite 2026-02-09 01:51:30 +10:00			`settings = {`
			`PasswordAuthentication = false;`
			`PermitRootLogin = "no";`
fix groups/default.nix should be groups/all/default.nix 2026-02-12 14:21:45 +10:00			`AllowUsers = ["cry"]; # DO NOT ALLOW ALL`
super massive rewrite 2026-02-09 01:51:30 +10:00			`UseDns = true;`
			`X11Forwarding = false;`
			`};`
			`};`
			`};`
idk a bunch of things got the merge working 2026-02-12 13:25:40 +10:00
update hosts (+ update sshPort) 2026-02-16 09:35:29 +10:00			`# simple fail2ban config (not production ready or anything though)`
			`# refer to: https://nixos.wiki/wiki/Fail2Ban`
			`services.fail2ban = {`
			`enable = true;`

			`maxretry = 5;`
			`bantime = "10m"; # 10 minute ban`
			`bantime-increment = {`
			`enable = true;`
			`formula = "ban.Time * math.exp(float(ban.Count+1)banFactor)/math.exp(1banFactor)";`
			`# multipliers = "1 2 4 8 16 32 64";`
			`maxtime = "168h"; # dont ban for more than 1 week`
			`overalljails = true;`
			`};`
			`};`

idk a bunch of things got the merge working 2026-02-12 13:25:40 +10:00			`users = {`
			`users = {`
			`# primary user`
			`cry = {`
			`isNormalUser = true;`
			`home = "/home/cry";`
			`extraGroups = ["wheel"];`
use lib.mkDefault 2026-02-13 12:49:52 +10:00			`openssh.authorizedKeys.keys = lib.mkDefault [`
idk a bunch of things got the merge working 2026-02-12 13:25:40 +10:00			`(throw ''`
			Hosts in the `server` group must set `users.users.cry.openssh.authorizedKeys.keys = [ ... ]`.
			`'')`
			`];`
			`};`
			`};`
			`};`
super massive rewrite 2026-02-09 01:51:30 +10:00			`}`