infra/roles/security.nix

22 lines
585 B
Nix
Raw Normal View History

2019-08-11 19:53:02 +01:00
{ config, pkgs, lib, ... }:
{
# Make sure that the firewall is enabled, even if it's the default.
networking.firewall.enable = true;
2019-08-11 19:53:02 +01:00
# Allow password-less sudo for wheel users
security.sudo.enable = true;
security.sudo.wheelNeedsPassword = false;
2019-08-11 19:53:02 +01:00
# Dont let users create their own authorized keys files
services.openssh.authorizedKeysFiles = lib.mkForce [
"/etc/ssh/authorized_keys.d/%u"
];
services.openssh.kbdInteractiveAuthentication = false;
2019-08-11 19:53:02 +01:00
services.openssh.passwordAuthentication = false;
# Ban brute force SSH
services.fail2ban.enable = true;
}