change from mono-home-manager to full flake multi-system configuration

2025-11-30 12:28:05 +01:00
parent 5c3a992f34
commit 362f65c384
62 changed files with 4469 additions and 576 deletions
--- a/modules/security.nix
+++ b/modules/security.nix
@@ -0,0 +1,43 @@
+{ config, pkgs, ... }:
+
+{
+  services.openssh = {
+    enable = true;
+    ports = [ 22 ];
+    settings = {
+      AllowUsers = [ "wieerwill" ];
+      X11Forwarding = false;
+      PasswordAuthentication = false;
+      PermitRootLogin = "prohibit-password";
+      KbdInteractiveAuthentication = false;
+    };
+  };
+
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [ 
+      22  # SSH 
+      80  # HTTP
+      443 # HTTPS
+      22000 # Syncthing
+      9050  # Tor SOCKS
+      9051  # Tor Control
+      5353  # Tor DNS (if using virtual DNS)
+    ];
+    allowedUDPPorts = [ ];
+  };
+
+  services.fail2ban = {
+    enable = true;
+    maxretry = 3; # Ban IP after 3 failures
+    bantime = "24h"; # Ban IPs for one day on the first ban
+    bantime-increment = {
+      enable = true; # increment of bantime after each violation
+      #formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
+      multipliers = "1 2 4 8 16 32 64";
+      maxtime = "168h"; # Do not ban for more than 1 week
+      overalljails = true; # bantime based on all violations
+    };
+  };
+  
+}