2019-08-11 19:53:02 +01:00
|
|
|
{ config, pkgs, lib, ... }:
|
|
|
|
|
|
|
|
{
|
2021-03-08 20:00:02 +00:00
|
|
|
# Make sure that the firewall is enabled, even if it's the default.
|
|
|
|
networking.firewall.enable = true;
|
2019-08-11 19:53:02 +01:00
|
|
|
|
2021-03-08 20:00:02 +00:00
|
|
|
# Allow password-less sudo for wheel users
|
|
|
|
security.sudo.enable = true;
|
|
|
|
security.sudo.wheelNeedsPassword = false;
|
|
|
|
|
2019-08-11 19:53:02 +01:00
|
|
|
# Dont let users create their own authorized keys files
|
|
|
|
services.openssh.authorizedKeysFiles = lib.mkForce [
|
|
|
|
"/etc/ssh/authorized_keys.d/%u"
|
|
|
|
];
|
|
|
|
|
2022-01-29 10:44:38 +01:00
|
|
|
services.openssh.kbdInteractiveAuthentication = false;
|
2019-08-11 19:53:02 +01:00
|
|
|
services.openssh.passwordAuthentication = false;
|
|
|
|
|
|
|
|
# Ban brute force SSH
|
|
|
|
services.fail2ban.enable = true;
|
|
|
|
}
|