remoll/matrix
1
0
Fork 0
mirror of https://github.com/lxstinthesky/matrix.git synced 2025-11-06 10:52:44 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
c31f778ac2c4e56b0a77bb12f9946dcb4d8e28b4
matrix/nix/modules/security.nix
Henrik c31f778ac2 added a fail2ban configuration for ssh
2025-11-05 17:50:20 +01:00

75 lines
2.3 KiB
Nix
Raw Blame History

{ config, pkgs, inputs, ... }:
{
# providing an ssh configuration
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "no"; # Disable root login
PasswordAuthentication = false; # Force SSH key auth only
PubkeyAuthentication = true; # Enable SSH keys
LogLevel = "VERBOSE"; # More detailed logging, for fail2ban
};
ports = [ 22 ];
# using the same key as for initrd
hostKeys = [
{ path = "/etc/secrets/initrd/ssh_host_ed25519_key"; type = "ed25519"; }
];
};
services.fail2ban = {
enable = true;
maxretry = 5; # Ban IP after 5 failures
ignoreIP = [
];
bantime = "24h"; # Ban IPs for one day on the first ban
bantime-increment = {
enable = true; # Enable increment of bantime after each violation
multipliers = "1 2 3 4 5 6 7"; # everytime one day more
maxtime = "168h"; # Do not ban for more than 1 week
overalljails = true; # Calculate the bantime based on all the violations
};
# fail2ban ships with a default sshd jail, we override it here, to be explicit
jails.sshd.settings = {
port = 22; # explicit
maxretry = 5;
};
};
# remote unlock for luks via ssh
boot.kernelParams = [ "ip=dhcp" ];
boot.initrd = {
availableKernelModules = [ "virtio-pci" ];
network = {
enable = true;
ssh = {
enable = true;
port = 22;
authorizedKeys = [
(builtins.readFile ../users/keys/neo.pub)
(builtins.readFile ../users/keys/morpheus.pub)
];
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
shell = "/bin/cryptsetup-askpass";
};
};
};
# Generate SSH host key for initrd
system.activationScripts.initrd-ssh-key = {
text = ''
mkdir -p /etc/secrets/initrd
if [ ! -f /etc/secrets/initrd/ssh_host_ed25519_key ]; then
${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /etc/secrets/initrd/ssh_host_ed25519_key -N ""
chmod 600 /etc/secrets/initrd/ssh_host_ed25519_key
chmod 644 /etc/secrets/initrd/ssh_host_ed25519_key.pub
fi
'';
deps = [ ];
};
# other security hardening options can go here
security.sudo.wheelNeedsPassword = false;
}
Reference in New Issue View Git Blame Copy Permalink