infra/config/network.nix

{
  networking.firewall.enable = true;

  services = {
    fail2ban = {
      enable = true;
      bantime-increment.enable = true;
    };
    openssh = {
      enable = true;
      openFirewall = true;
      settings = {
        KexAlgorithms = [
          "curve25519-sha256"
          "curve25519-sha256@libssh.org"
          "diffie-hellman-group16-sha512"
          "diffie-hellman-group18-sha512"
          "sntrup761x25519-sha512@openssh.com"
        ];
        PasswordAuthentication = false;
        PermitRootLogin = "prohibit-password";
        StreamLocalBindUnlink = "yes";
      };
    };
  };
}
feat: init 2023-05-06 06:49:46 +02:00			`{`
			`networking.firewall.enable = true;`
feat: rework nginx, add per-vhost logging & monitoring 2024-09-13 02:28:10 +02:00
feat: init 2023-05-06 06:49:46 +02:00			`services = {`
feat(fail2ban): enable bantime increment 2024-09-17 22:02:02 +02:00			`fail2ban = {`
			`enable = true;`
			`bantime-increment.enable = true;`
			`};`
feat: init 2023-05-06 06:49:46 +02:00			`openssh = {`
			`enable = true;`
feat(ssh): explicitly open firewall 2024-09-18 18:22:22 +02:00			`openFirewall = true;`
feat: enable StreamLocalBindUnlink for sshd 2024-09-11 08:58:47 +02:00			`settings = {`
feat: harden ssh 2024-09-13 18:46:54 +02:00			`KexAlgorithms = [`
			`"curve25519-sha256"`
			`"curve25519-sha256@libssh.org"`
			`"diffie-hellman-group16-sha512"`
			`"diffie-hellman-group18-sha512"`
			`"sntrup761x25519-sha512@openssh.com"`
			`];`
feat: enable StreamLocalBindUnlink for sshd 2024-09-11 08:58:47 +02:00			`PasswordAuthentication = false;`
feat: add deploy-rs user config 2024-09-16 20:57:30 +02:00			`PermitRootLogin = "prohibit-password";`
feat: enable StreamLocalBindUnlink for sshd 2024-09-11 08:58:47 +02:00			`StreamLocalBindUnlink = "yes";`
			`};`
feat: init 2023-05-06 06:49:46 +02:00			`};`
			`};`
			`}`