50 lines
1.2 KiB
Nix
50 lines
1.2 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
{
|
|
|
|
networking.firewall = {
|
|
enable = true;
|
|
allowedTCPPorts = [ 22 ];
|
|
};
|
|
|
|
services.fail2ban = {
|
|
enable = true;
|
|
maxretry = 3; # Ban IP after 3 failures
|
|
bantime = "24h"; # Ban IPs for one day on the first ban
|
|
bantime-increment = {
|
|
enable = true; # increment of bantime after each violation
|
|
formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
|
|
multipliers = "1 2 4 8 16 32 64";
|
|
maxtime = "168h"; # Do not ban for more than 1 week
|
|
overalljails = true; # bantime based on all violations
|
|
};
|
|
};
|
|
|
|
programs.gpg = {
|
|
enable = true;
|
|
mutableKeys = true; # allow changes in keys or trust
|
|
mutableTrust = true;
|
|
publicKeys = [
|
|
{
|
|
source = ""; #./path/to/key.a;
|
|
trust = "ultimate";
|
|
}
|
|
];
|
|
};
|
|
|
|
programs.ssh = {
|
|
enable = true;
|
|
addKeysToAgent = "yes"; # let home manager manage ssh keys
|
|
};
|
|
|
|
services.openssh = {
|
|
enable = true;
|
|
##Ports = [ 5432 ];
|
|
settings = {
|
|
PasswordAuthentication = false;
|
|
KbdInteractiveAuthentication = false;
|
|
PermitRootLogin = "no";
|
|
#AllowUsers = [ "wieerwill" ]
|
|
};
|
|
};
|
|
|
|
} |