nixaalborg/nixos
2
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Update ssh config, disable sshguard

Browse source
This commit is contained in:
Emelie Graven 2021-11-22 14:43:34 +01:00
parent e5e4d3688c
commit fae0ad2936
Signed by: emelie
GPG key ID: C11123726DBB55A1
4 changed files with 28 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

0
config/hosts/capetillo/services/acme.nix → config/common/services/acme.nix
View file

15
config/common/services/ssh.nix
View file

@ -5,9 +5,12 @@
permitRootLogin = "no"; permitRootLogin = "no";
passwordAuthentication = false; passwordAuthentication = false;
challengeResponseAuthentication = false; challengeResponseAuthentication = false;
hostKeys = [ { "path" = "/etc/ssh/ssh_host_ed25519_key"; "type" = "ed25519"; } ];
kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ]; kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ]; ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes128-gcm@openssh.com" "aes256-ctr" "aes192-ctr" "aes128-ctr" ];
macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-256-etm@openssh.com" "umac-128-etm@openssh.com" ];
extraConfig = "
HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
";
}; };
programs.ssh.knownHosts = { programs.ssh.knownHosts = {
@ -17,9 +20,9 @@
}; };
}; };
services.sshguard = { #services.sshguard = {
enable = true; # enable = true;
blocktime = 300; # blocktime = 300;
}; #};
} }

4
config/hosts/capetillo/configuration.nix
View file

@ -5,7 +5,7 @@
[ [
./hardware-configuration.nix ./hardware-configuration.nix
../../common/services/ssh.nix ../../common/services/ssh.nix
./services/acme.nix ../../common/services/acme.nix
./services/nginx.nix ./services/nginx.nix
./services/mail.nix ./services/mail.nix
./data/secrets/secrets.nix ./data/secrets/secrets.nix
@ -61,7 +61,7 @@
services.openssh.enable = true; services.openssh.enable = true;
networking.firewall.allowedTCPPorts = [ 22 80 443 ]; networking.firewall.allowedTCPPorts = [ 22 80 193 443 465 587 993 ];
# networking.firewall.allowedUDPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ];

17
config/hosts/capetillo/services/restic.nix
View file

@ -0,0 +1,17 @@
{ config, ... }:
{
services.restic.backups = {
"mail" = {
paths = [ "/var/vmail" ];
repository = "sftp:restic@despondos.nao.sh:/etheria/backup/nixaalborg/capetillo/mail";
initialize = true;
pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
timerConfig = { "OnCalendar" = "02:15"; };
extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
passwordFile = builtins.toString config.secrets.files.restic_pass.file;
user = "virtualMail";
};
};
}