62 lines
1017 B
Nix
62 lines
1017 B
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
{
|
|
imports = [
|
|
./common.nix
|
|
];
|
|
|
|
documentation.enable = false;
|
|
|
|
fonts.fontconfig.enable = false;
|
|
|
|
security = {
|
|
acme = {
|
|
acceptTerms = true;
|
|
defaults = {
|
|
email = "hostmaster@vimium.com";
|
|
group = "nginx";
|
|
webroot = "/var/lib/acme/acme-challenge";
|
|
};
|
|
};
|
|
# auditd.enable = true;
|
|
# audit = {
|
|
# enable = true;
|
|
# rules = [
|
|
# "-a exit,always -F arch=b64 -S execve"
|
|
# ];
|
|
# };
|
|
};
|
|
|
|
systemd = {
|
|
enableEmergencyMode = false;
|
|
|
|
sleep.extraConfig = ''
|
|
AllowSuspend=no
|
|
AllowHibernation=no
|
|
'';
|
|
|
|
watchdog = {
|
|
runtimeTime = "20s";
|
|
rebootTime = "30s";
|
|
};
|
|
};
|
|
|
|
services.fail2ban = {
|
|
enable = true;
|
|
bantime = "1h";
|
|
bantime-increment = {
|
|
enable = true;
|
|
maxtime = "24h";
|
|
rndtime = "7m";
|
|
};
|
|
ignoreIP = [
|
|
"100.64.0.0/10"
|
|
];
|
|
};
|
|
|
|
modules.networking.tailscale = {
|
|
enable = true;
|
|
restrictSSH = false;
|
|
};
|
|
}
|