move a few more things back as profiles

3 files changed, 44 insertions, 13 deletions

diff --git a/modules/nixos/cgroups.nix b/profiles/cgroups.nix
index 07dc964..07dc964 100644
--- a/modules/nixos/cgroups.nix
+++ b/profiles/cgroups.nix
diff --git a/modules/nixos/base.nix b/profiles/defaults.nix
index 9ed3abc..7c8a7fb 100644
--- a/modules/nixos/base.nix
+++ b/profiles/defaults.nix
@@ -39,19 +39,6 @@
     dnssec = "false";
   };
 
-  services.fail2ban = {
-    enable = true;
-    ignoreIP = [
-      "10.100.0.0/24" # wireguard
-    ];
-    bantime = "1h";
-    bantime-increment = {
-      enable = true;
-      maxtime = "168h";
-      factor = "4";
-    };
-  };
-
   i18n = {
     defaultLocale = "en_US.UTF-8";
     supportedLocales = [
diff --git a/profiles/server.nix b/profiles/server.nix
new file mode 100644
index 0000000..fe59484
--- /dev/null
+++ b/profiles/server.nix
@@ -0,0 +1,44 @@
+{ ... }:
+{
+  services.fail2ban = {
+    enable = true;
+    ignoreIP = [
+      "10.100.0.0/24" # wireguard
+    ];
+    bantime = "1h";
+    bantime-increment = {
+      enable = true;
+      maxtime = "168h";
+      factor = "4";
+    };
+  };
+
+  virtualisation.podman = {
+    enable = true;
+    dockerCompat = true;
+    autoPrune.enable = true;
+    autoPrune.flags = [
+      "--all"
+    ];
+    defaultNetwork.settings.dns_enabled = true;
+  };
+
+  virtualisation.oci-containers.backend = "podman";
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+
+      PermitRootLogin = "prohibit-password";
+    };
+    openFirewall = true;
+    hostKeys = [
+      {
+        path = "/etc/ssh/ssh_host_ed25519_key";
+        type = "ed25519";
+      }
+    ];
+  };
+}