infra/roles/security.nix

{
  # Make sure that the firewall is enabled, even if it's the default.
  networking.firewall.enable = true;

  programs.ssh.knownHosts = {
    build01 = {
      hostNames = [ "build01.nix-community.org" ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIElIQ54qAy7Dh63rBudYKdbzJHrrbrrMXLYl7Pkmk88H";
    };
    build02 = {
      hostNames = [ "build02.nix-community.org" ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMm3/o1HguyRL1z/nZxLBY9j/YUNXeNuDoiBLZAyt88Z";
    };
    build03 = {
      hostNames = [ "build03.nix-community.org" ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFiozp1A1+SUfJQPa5DZUQcVc6CZK2ZxL6FJtNdh+2TP";
    };
    build04 = {
      hostNames = [ "build04.nix-community.org" ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU/gbREwVuI1p3ag1iG72jxl2/92yGl38c+TPOfFMH8";
    };
    aarch64-nixos-community = {
      hostNames = [ "aarch64.nixos.community" ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUTz5i9u5H2FHNAmZJyoJfIGyUm/HfGhfwnc142L3ds";
    };
  };

  # Ban brute force SSH
  services.fail2ban.enable = true;
}
Modularise setup, add hardening config 2019-08-11 19:53:02 +01:00			`{`
roles/security: allow sudo without password (#63) Encourage users to SSH as their own users. Wser accounts were not able to `sudo` as they don't have a password associated to them. 2021-03-08 20:00:02 +00:00			`# Make sure that the firewall is enabled, even if it's the default.`
			`networking.firewall.enable = true;`
Modularise setup, add hardening config 2019-08-11 19:53:02 +01:00
move github keys to security module 2022-01-29 10:46:10 +01:00			`programs.ssh.knownHosts = {`
also add known hosts 2022-08-13 10:48:09 +02:00			`build01 = {`
run nixpkgs-fmt 2022-08-14 16:49:30 +02:00			`hostNames = [ "build01.nix-community.org" ];`
also add known hosts 2022-08-13 10:48:09 +02:00			`publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIElIQ54qAy7Dh63rBudYKdbzJHrrbrrMXLYl7Pkmk88H";`
			`};`
			`build02 = {`
run nixpkgs-fmt 2022-08-14 16:49:30 +02:00			`hostNames = [ "build02.nix-community.org" ];`
also add known hosts 2022-08-13 10:48:09 +02:00			`publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMm3/o1HguyRL1z/nZxLBY9j/YUNXeNuDoiBLZAyt88Z";`
			`};`
			`build03 = {`
run nixpkgs-fmt 2022-08-14 16:49:30 +02:00			`hostNames = [ "build03.nix-community.org" ];`
also add known hosts 2022-08-13 10:48:09 +02:00			`publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFiozp1A1+SUfJQPa5DZUQcVc6CZK2ZxL6FJtNdh+2TP";`
			`};`
			`build04 = {`
run nixpkgs-fmt 2022-08-14 16:49:30 +02:00			`hostNames = [ "build04.nix-community.org" ];`
also add known hosts 2022-08-13 10:48:09 +02:00			`publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU/gbREwVuI1p3ag1iG72jxl2/92yGl38c+TPOfFMH8";`
			`};`
add aarch64-nixos-community to knownHosts 2022-10-28 10:12:52 +10:00			`aarch64-nixos-community = {`
			`hostNames = [ "aarch64.nixos.community" ];`
			`publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUTz5i9u5H2FHNAmZJyoJfIGyUm/HfGhfwnc142L3ds";`
			`};`
move github keys to security module 2022-01-29 10:46:10 +01:00			`};`

Modularise setup, add hardening config 2019-08-11 19:53:02 +01:00			`# Ban brute force SSH`
			`services.fail2ban.enable = true;`
			`}`
No results found.