Update ssh config, disable sshguard

2021-11-22 14:43:34 +01:00 · 2021-11-22 14:43:34 +01:00 · fae0ad2936
parent e5e4d3688c
commit fae0ad2936
4 changed files with 28 additions and 8 deletions
--- a/config/hosts/capetillo/services/acme.nix
+++ b/config/hosts/capetillo/services/acme.nix
--- a/config/common/services/ssh.nix
+++ b/config/common/services/ssh.nix
@ -5,9 +5,12 @@
    permitRootLogin = "no";
    passwordAuthentication = false;
    challengeResponseAuthentication = false;
-    hostKeys = [ { "path" = "/etc/ssh/ssh_host_ed25519_key"; "type" = "ed25519"; } ];
    kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
-    macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ];
+	ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes128-gcm@openssh.com" "aes256-ctr" "aes192-ctr" "aes128-ctr" ];
+    macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-256-etm@openssh.com" "umac-128-etm@openssh.com" ];
+	extraConfig = "
+		HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
+		";
  };

  programs.ssh.knownHosts = {
@ -17,9 +20,9 @@
    };
  };

-  services.sshguard = {
-    enable = true;
-    blocktime = 300;
-  };
+  #services.sshguard = {
+  #  enable = true;
+  #  blocktime = 300;
+  #};
 }

--- a/config/hosts/capetillo/configuration.nix
+++ b/config/hosts/capetillo/configuration.nix
@ -5,7 +5,7 @@
    [ 
 	  ./hardware-configuration.nix
 	  ../../common/services/ssh.nix
-	  ./services/acme.nix
+	  ../../common/services/acme.nix
 	  ./services/nginx.nix
 	  ./services/mail.nix
 	  ./data/secrets/secrets.nix
@ -61,7 +61,7 @@

  services.openssh.enable = true;

-  networking.firewall.allowedTCPPorts = [ 22 80 443 ];
+  networking.firewall.allowedTCPPorts = [ 22 80 193 443 465 587 993 ];
  # networking.firewall.allowedUDPPorts = [ ... ];


--- a/config/hosts/capetillo/services/restic.nix
+++ b/config/hosts/capetillo/services/restic.nix
@ -0,0 +1,17 @@
+{ config, ... }:
+
+{
+
+  services.restic.backups = {
+    "mail" = {
+      paths = [ "/var/vmail" ];
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/nixaalborg/capetillo/mail";
+      initialize = true;
+      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
+      timerConfig = { "OnCalendar" = "02:15"; };
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "virtualMail";
+    };
+  };
+}