From 3d717b6415d4429a2f9bc9619ac0bbff456827c3 Mon Sep 17 00:00:00 2001
From: Franck Cuny <franck@fcuny.net>
Date: Thu, 23 Oct 2025 17:41:18 -0700
Subject: move a few more things back as profiles

---
 profiles/server.nix | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 profiles/server.nix

(limited to 'profiles/server.nix')

diff --git a/profiles/server.nix b/profiles/server.nix
new file mode 100644
index 0000000..fe59484
--- /dev/null
+++ b/profiles/server.nix
@@ -0,0 +1,44 @@
+{ ... }:
+{
+  services.fail2ban = {
+    enable = true;
+    ignoreIP = [
+      "10.100.0.0/24" # wireguard
+    ];
+    bantime = "1h";
+    bantime-increment = {
+      enable = true;
+      maxtime = "168h";
+      factor = "4";
+    };
+  };
+
+  virtualisation.podman = {
+    enable = true;
+    dockerCompat = true;
+    autoPrune.enable = true;
+    autoPrune.flags = [
+      "--all"
+    ];
+    defaultNetwork.settings.dns_enabled = true;
+  };
+
+  virtualisation.oci-containers.backend = "podman";
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+
+      PermitRootLogin = "prohibit-password";
+    };
+    openFirewall = true;
+    hostKeys = [
+      {
+        path = "/etc/ssh/ssh_host_ed25519_key";
+        type = "ed25519";
+      }
+    ];
+  };
+}
-- 
cgit v1.2.3