christoph/flake-nixinator
1
Fork 0
Code Activity

System: Harden SSHD and authorize key

Browse Source
This commit is contained in:
Christoph Urlacher
2026-02-16 20:01:40 +01:00
parent 86d669c2ab
commit 2919e797ed
2 changed files with 24 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
system/default.nix
View File

@ -8,6 +8,7 @@
system, system,
username, username,
headless, headless,
publicKeys,
... ...
}: }:
with mylib.networking; { with mylib.networking; {
@ -273,6 +274,10 @@ with mylib.networking; {
]; ];
shell = pkgs.fish; shell = pkgs.fish;
openssh.authorizedKeys.keys = [
publicKeys.christoph.ssh
];
# We do this with HomeManager # We do this with HomeManager
# packages = with pkgs; []; # packages = with pkgs; [];
}; };
@ -418,7 +423,9 @@ with mylib.networking; {
}; };
# Enable the OpenSSH daemon. # Enable the OpenSSH daemon.
openssh.enable = true; openssh = {
enable = true;
};
# Trims the journal if too large # Trims the journal if too large
journald.extraConfig = '' journald.extraConfig = ''

16
system/nixinator/default.nix
View File

@ -176,6 +176,22 @@
fileSystems = ["/"]; fileSystems = ["/"];
}; };
# Temporarily ban IPs for SSH after failed login attempts
fail2ban = {
enable = true;
};
openssh = {
ports = [5432];
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = "no";
AllowUsers = [username];
LogLevel = "VERBOSE"; # For fail2ban
};
};
# Keep this as a system service because we're backing up /persist as root # Keep this as a system service because we're backing up /persist as root
# TODO: The repository gets corrupted all the time, maybe because the service runs before the repository is mounted? # TODO: The repository gets corrupted all the time, maybe because the service runs before the repository is mounted?
# - Was this caused by the NFS "soft" option? # - Was this caused by the NFS "soft" option?