move a few more things back as profiles

author: Franck Cuny <franck@fcuny.net> 2025-10-23 17:41:18 -0700
committer: Franck Cuny <franck@fcuny.net> 2025-10-23 17:41:18 -0700
commit: 3d717b6415d4429a2f9bc9619ac0bbff456827c3 (patch)
tree: 29f83695d3311f9b888ef25f7dfe6aff6955bde4 /profiles/server.nix
parent: enable tailscale on 2 machines (diff)
download: infra-3d717b6415d4429a2f9bc9619ac0bbff456827c3.tar.gz
1 files changed, 44 insertions, 0 deletions
diff --git a/profiles/server.nix b/profiles/server.nix
new file mode 100644
index 0000000..fe59484
--- /dev/null
+++ b/profiles/server.nix
@@ -0,0 +1,44 @@
+{ ... }:
+{
+  services.fail2ban = {
+    enable = true;
+    ignoreIP = [
+      "10.100.0.0/24" # wireguard
+    ];
+    bantime = "1h";
+    bantime-increment = {
+      enable = true;
+      maxtime = "168h";
+      factor = "4";
+    };
+  };
+
+  virtualisation.podman = {
+    enable = true;
+    dockerCompat = true;
+    autoPrune.enable = true;
+    autoPrune.flags = [
+      "--all"
+    ];
+    defaultNetwork.settings.dns_enabled = true;
+  };
+
+  virtualisation.oci-containers.backend = "podman";
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+
+      PermitRootLogin = "prohibit-password";
+    };
+    openFirewall = true;
+    hostKeys = [
+      {
+        path = "/etc/ssh/ssh_host_ed25519_key";
+        type = "ed25519";
+      }
+    ];
+  };
+}
author	Franck Cuny <franck@fcuny.net>	2025-10-23 17:41:18 -0700
committer	Franck Cuny <franck@fcuny.net>	2025-10-23 17:41:18 -0700
commit	3d717b6415d4429a2f9bc9619ac0bbff456827c3 (patch)
tree	29f83695d3311f9b888ef25f7dfe6aff6955bde4 /profiles/server.nix
parent	enable tailscale on 2 machines (diff)
download	infra-3d717b6415d4429a2f9bc9619ac0bbff456827c3.tar.gz