july rice

2025-07-27 22:02:16 -05:00 · 2025-07-27 22:02:16 -05:00 · 89ab499605
commit 89ab499605
parent 73f2340ac0
10 changed files with 95 additions and 39 deletions
--- a/nixos/consensus/configuration.nix
+++ b/nixos/consensus/configuration.nix
@ -26,8 +26,8 @@
    tmux
  ];
  services = {
-    zfs.autoScrub.enable = true;
-    zfs.autoSnapshot.enable = true;
+    # zfs.autoScrub.enable = true;
+    # zfs.autoSnapshot.enable = true;
    tailscale.enable = true;
    k3s = {
      enable = true;
@ -36,16 +36,53 @@
        "--disable=traefik"
      ];
    };
+    fail2ban = {
+      enable = true;
+      maxretry = 5;
+      bantime = "1h";
+      ignoreIP = [
+        "172.16.0.0/12"
+        "192.168.0.0/16"
+        "tailc353f.ts.net"
+      ];
+
+      bantime-increment = {
+        enable = true;
+        multipliers = "1 2 4 8 16 32 64 128 256";
+        maxtime = "24h";
+        overalljails = true;
+      };
+    };
    openssh = {
      enable = true;
      ports = [2022];
      settings = {
        PasswordAuthentication = false;
        PermitRootLogin = "prohibit-password";
+        PermitEmptyPasswords = false;
+        PermitTunnel = false;
+        UseDns = false;
+        KbdInteractiveAuthentication = false;
+        X11Forwarding = false;
+        MaxAuthTries = 3;
+        MaxSessions = 2;
+        ClientAliveInterval = 300;
+        ClientAliveCountMax = 0;
+        TCPKeepAlive = false;
+        AllowTcpForwarding = false;
+        AllowAgentForwarding = false;
+        LogLevel = "VERBOSE";
      };
+      hostKeys = [
+        {
+          path = "/etc/ssh/ssh_host_ed25519_key";
+          type = "ed25519";
+        }
+      ];
    };
    immich = {
-      enable = true;
+      # enable = true;
+      enable = false;
      port = 2283;
      host = "localhost";
      openFirewall = true;
@ -73,9 +110,9 @@
  };
  boot = {
    tmp.cleanOnBoot = true;
-    supportedFilesystems = ["zfs"];
-    zfs.forceImportRoot = false;
-    zfs.extraPools = ["rice"];
+    # supportedFilesystems = ["zfs"];
+    # zfs.forceImportRoot = false;
+    # zfs.extraPools = ["rice"];
  };
  networking.hostId = "91238132";
  zramSwap.enable = false;
--- a/nixos/consensus/hardware-configuration.nix
+++ b/nixos/consensus/hardware-configuration.nix
@ -1,10 +1,19 @@
-{ lib, modulesPath, ... }:
 {
-  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  lib,
+  modulesPath,
+  ...
+}: {
+  imports = [(modulesPath + "/profiles/qemu-guest.nix")];
  boot.loader.grub.device = "/dev/nvme0n1";
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
-  boot.initrd.kernelModules = [ "nvme" ];
-  fileSystems."/" = { device = "/dev/mapper/vg-root"; fsType = "btrfs"; };
-  fileSystems."/var" = { device = "/dev/mapper/vg-var"; fsType = "btrfs"; };
+  boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"];
+  boot.initrd.kernelModules = ["nvme"];
+  fileSystems."/" = {
+    device = "/dev/mapper/vg-root";
+    fsType = "btrfs";
+  };
+  fileSystems."/var" = {
+    device = "/dev/mapper/vg-var";
+    fsType = "btrfs";
+  };
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }