infra/config/network.nix

{
  networking.firewall.enable = true;

  services = {
    fail2ban.enable = true;
    openssh = {
      enable = true;
      ports = [22];
      settings = {
        KexAlgorithms = [
          "curve25519-sha256"
          "curve25519-sha256@libssh.org"
          "diffie-hellman-group16-sha512"
          "diffie-hellman-group18-sha512"
          "sntrup761x25519-sha512@openssh.com"
        ];
        PasswordAuthentication = false;
        PermitRootLogin = "no";
        StreamLocalBindUnlink = "yes";
      };
    };
  };
}
feat: init 2023-05-06 06:49:46 +02:00			`{`
			`networking.firewall.enable = true;`
feat: rework nginx, add per-vhost logging & monitoring 2024-09-13 02:28:10 +02:00
feat: init 2023-05-06 06:49:46 +02:00			`services = {`
			`fail2ban.enable = true;`
			`openssh = {`
			`enable = true;`
feat: rework nginx, add per-vhost logging & monitoring 2024-09-13 02:28:10 +02:00			`ports = [22];`
feat: enable StreamLocalBindUnlink for sshd 2024-09-11 08:58:47 +02:00			`settings = {`
feat: harden ssh 2024-09-13 18:46:54 +02:00			`KexAlgorithms = [`
			`"curve25519-sha256"`
			`"curve25519-sha256@libssh.org"`
			`"diffie-hellman-group16-sha512"`
			`"diffie-hellman-group18-sha512"`
			`"sntrup761x25519-sha512@openssh.com"`
			`];`
feat: enable StreamLocalBindUnlink for sshd 2024-09-11 08:58:47 +02:00			`PasswordAuthentication = false;`
			`PermitRootLogin = "no";`
			`StreamLocalBindUnlink = "yes";`
			`};`
feat: init 2023-05-06 06:49:46 +02:00			`};`
			`};`
			`}`