From fae0ad293666e3f406e85fd96eb88936e31925a9 Mon Sep 17 00:00:00 2001 From: Emelie Graven Date: Mon, 22 Nov 2021 14:43:34 +0100 Subject: [PATCH] Update ssh config, disable sshguard --- .../capetillo => common}/services/acme.nix | 0 config/common/services/ssh.nix | 15 +++++++++------ config/hosts/capetillo/configuration.nix | 4 ++-- config/hosts/capetillo/services/restic.nix | 17 +++++++++++++++++ 4 files changed, 28 insertions(+), 8 deletions(-) rename config/{hosts/capetillo => common}/services/acme.nix (100%) diff --git a/config/hosts/capetillo/services/acme.nix b/config/common/services/acme.nix similarity index 100% rename from config/hosts/capetillo/services/acme.nix rename to config/common/services/acme.nix diff --git a/config/common/services/ssh.nix b/config/common/services/ssh.nix index 1f57e0f..914cd07 100644 --- a/config/common/services/ssh.nix +++ b/config/common/services/ssh.nix @@ -5,9 +5,12 @@ permitRootLogin = "no"; passwordAuthentication = false; challengeResponseAuthentication = false; - hostKeys = [ { "path" = "/etc/ssh/ssh_host_ed25519_key"; "type" = "ed25519"; } ]; kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ]; - macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ]; + ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes128-gcm@openssh.com" "aes256-ctr" "aes192-ctr" "aes128-ctr" ]; + macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-256-etm@openssh.com" "umac-128-etm@openssh.com" ]; + extraConfig = " + HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256 + "; }; programs.ssh.knownHosts = { @@ -17,9 +20,9 @@ }; }; - services.sshguard = { - enable = true; - blocktime = 300; - }; + #services.sshguard = { + # enable = true; + # blocktime = 300; + #}; } diff --git a/config/hosts/capetillo/configuration.nix b/config/hosts/capetillo/configuration.nix index c35da9d..4251675 100644 --- a/config/hosts/capetillo/configuration.nix +++ b/config/hosts/capetillo/configuration.nix @@ -5,7 +5,7 @@ [ ./hardware-configuration.nix ../../common/services/ssh.nix - ./services/acme.nix + ../../common/services/acme.nix ./services/nginx.nix ./services/mail.nix ./data/secrets/secrets.nix @@ -61,7 +61,7 @@ services.openssh.enable = true; - networking.firewall.allowedTCPPorts = [ 22 80 443 ]; + networking.firewall.allowedTCPPorts = [ 22 80 193 443 465 587 993 ]; # networking.firewall.allowedUDPPorts = [ ... ]; diff --git a/config/hosts/capetillo/services/restic.nix b/config/hosts/capetillo/services/restic.nix index e69de29..6787e90 100644 --- a/config/hosts/capetillo/services/restic.nix +++ b/config/hosts/capetillo/services/restic.nix @@ -0,0 +1,17 @@ +{ config, ... }: + +{ + + services.restic.backups = { + "mail" = { + paths = [ "/var/vmail" ]; + repository = "sftp:restic@despondos.nao.sh:/etheria/backup/nixaalborg/capetillo/mail"; + initialize = true; + pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; + timerConfig = { "OnCalendar" = "02:15"; }; + extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; + passwordFile = builtins.toString config.secrets.files.restic_pass.file; + user = "virtualMail"; + }; + }; +}