path: root/profiles/server.nix

{ lib, ... }:
{
  boot.tmp.cleanOnBoot = true;

  services.fail2ban = {
    enable = true;
    ignoreIP = [
      "10.100.0.0/24" # wireguard
      "192.168.1.0/24" # local network
    ];
    bantime = "1h";
    bantime-increment = {
      enable = true;
      maxtime = "168h";
      factor = "4";
    };
  };

  virtualisation.podman = {
    enable = true;
    dockerCompat = true;
    autoPrune.enable = true;
    autoPrune.flags = [
      "--all"
    ];
    defaultNetwork.settings.dns_enabled = true;
  };

  virtualisation.oci-containers.backend = "podman";

  services.openssh = {
    enable = true;
    settings = {
      PasswordAuthentication = false;
      KbdInteractiveAuthentication = false;

      PermitRootLogin = "prohibit-password";
    };
    openFirewall = true;
    hostKeys = [
      {
        path = "/etc/ssh/ssh_host_ed25519_key";
        type = "ed25519";
      }
    ];
    # https://man.openbsd.org/sshd_config.5#PerSourcePenaltyExemptList
    settings.PerSourcePenaltyExemptList = lib.strings.concatStringsSep "," [
      "192.168.1.0/24"
    ];
  };
}