From 7d77335e21798f682ae5879a88a2fe2d448b72ee Mon Sep 17 00:00:00 2001 From: Daylin Morgan Date: Mon, 7 Aug 2023 10:57:28 -0500 Subject: [PATCH] update fail2ban --- hosts/algiz/configuration.nix | 178 +++++++++++++++++++--------------- 1 file changed, 98 insertions(+), 80 deletions(-) diff --git a/hosts/algiz/configuration.nix b/hosts/algiz/configuration.nix index 22c1282..866374a 100644 --- a/hosts/algiz/configuration.nix +++ b/hosts/algiz/configuration.nix @@ -26,106 +26,124 @@ }; services.resolved.enable = true; - services.fail2ban.enable = true; - boot.kernelPackages = pkgs.linuxPackages_latest; + # fail2ban config based on: + # https://www.linode.com/docs/guides/how-to-use-fail2ban-for-ssh-brute-force-protection/ + services.fail2ban { + enable = true; + maxretry = 5; + bantime = "24h"; + jails = { + sshd = '' + port = ssh + filter = sshd + logpath = /var/log/auth.log + maxretry = 3 + findtime = 300 + bantime = 3600 + ignoreip = 127.0.0.1 + '' + } + } + boot.kernelPackages = pkgs.linuxPackages_latest; - services.cron = { - enable = true; - systemCronJobs = [ - # update repos - "0 * * * * make -C /home/daylin/git soft-repos" - # update container so home page is semi-accurate - "0 2 * * * make -C /home/daylin/git update-soft-serve" + # TODO: convert this to a systemd service/timer + # services.cron = { + # enable = true; + # systemCronJobs = [ + # # update repos + # "0 * * * * make -C /home/daylin/git soft-repos" + # # update container so home page is semi-accurate + # "0 2 * * * make -C /home/daylin/git update-soft-serve" + # ]; + # }; + # + networking.hostName = "algiz"; + + # added to make using `pip install` work in docker build + networking.nameservers = [ + "8.8.8.8" ]; - }; - networking.hostName = "algiz"; + time.timeZone = "America/Chicago"; + programs.zsh.enable = true; + virtualisation.docker.enable = true; - # added to make using `pip install` work in docker build - networking.nameservers = [ - "8.8.8.8" - ]; + programs.nix-ld.enable = true; + programs.nix-ld.libraries = with pkgs; [ + stdenv.cc.cc + curl # for choosenim + ]; - time.timeZone = "America/Chicago"; - programs.zsh.enable = true; - virtualisation.docker.enable = true; + environment.systemPackages = with pkgs; [ + zsh - programs.nix-ld.enable = true; - programs.nix-ld.libraries = with pkgs; [ - stdenv.cc.cc - curl # for choosenim - ]; + tmux + wget + unzip + less + gnumake + gcc + gnupg - environment.systemPackages = with pkgs; [ - zsh + curl - tmux - wget - unzip - less - gnumake - gcc - gnupg + git - curl + vim + neovim - git + starship + atuin + chezmoi + bat + fzf + delta + ripgrep + lsd - vim - neovim + gh + lazygit - starship - atuin - chezmoi - bat - fzf - delta - ripgrep - lsd + nixpkgs-fmt + lazydocker - gh - lazygit + (python3.withPackages (ps: with ps; [ pip ])) + micromamba - nixpkgs-fmt - lazydocker - - python3 - micromamba - - nodejs - go - rustup - ]; + nodejs + go + rustup + ]; - # Use the GRUB 2 boot loader. - boot.loader.grub.enable = true; - boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only - programs.gnupg.agent = { - enable = true; - enableSSHSupport = true; - }; + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; - # allow tcp connections for git.dayl.in (gitea) - networking.firewall = { - enable = true; - allowedTCPPorts = [ 80 443 ]; - }; + # allow tcp connections for git.dayl.in (gitea) + networking.firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; - # Enable the OpenSSH daemon. - services.openssh.enable = true; - services.openssh.settings.PasswordAuthentication = false; + # Enable the OpenSSH daemon. + services.openssh.enable = true; + services.openssh.settings.PasswordAuthentication = false; - users.mutableUsers = false; + users.mutableUsers = false; - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "22.11"; # Did you read the comment? -} + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? + }