{ config, lib, pkgs, ... }: { imports = [ ./common.nix ]; environment.systemPackages = [ pkgs.kitty.terminfo ]; networking.domain = lib.mkDefault "stuebinm.eu"; nix.gc = { automatic = lib.mkDefault true; options = lib.mkDefault "--delete-older-than 1w"; }; users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCTeuG1alKNNqoT2d5nUAlH0Otsk0NHM7nmkYC5Yfk8qcLsgY4v2dXlyrMzieajYgDjndEApgO3/S/V0EQGhvHc0UugC6LU84jHPwsgYVABRmFS74v/ww8NigaNIAevwWl+DxlnK4nnWdB1lo4xS69ooQdvoAjbubk16dP04LsAbH8Z+3cPB5WKAaayNx62DUwObzDSpztqCagCZzlqpwKG1UGJngrqEhk7B5Q0v9iCk91gqVkLSPllsB00+bqIimgkMVIZnoLLh7pcEgOvbG0yP2EG3ttDNN3jPpqE6mu+znfLq+ua/MwJy5hjmY5R54yPlcvFdsIU34jrdMCDvWqpV49VrLwVvkFN3lRZln/9eifkXXJciP4Ber3xEl8JltysV1PE5iJunWfbcOy0fwsYvBChDeyR5G3CLG2c25jKL9f1Iq95QBBMVYgIxq/dpGy0tjB+24w1JzsorvElsmz5etXLXCydLP07ic9PfSu1Wmwu7F0tweIk52x97sra6ePhtY+TTRffjjDz0DEho1bWDfrPV0xfPPAWXWTKYisVO4VVmMQsJbtXrfxUJbappM5vIXcJ+2JpT2Oh7Kiy3rjm+pd7rukgoCp7yN5z8v+2vuOfHqBuKUwlaRg/XNMyPrbnGGzVR1xzUuhwdOnjAyMmAr95Ne9hRBPwfVo2NR/ZZw==" ]; services.openssh = { enable = true; permitRootLogin = "prohibit-password"; passwordAuthentication = false; }; security.sudo.enable = false; security.acme = { acceptTerms = true; defaults.email = "stuebinm@disroot.org"; }; services.fail2ban = { enable = true; bantime-increment.enable = true; bantime-increment.overalljails = true; bantime-increment.maxtime = "1312m"; ignoreIP = [ "185.39.64.13" ]; }; services.logrotate = { enable = true; # the nginx module does stuff here, which apparently no one tells anyone about settings.nginx = { rotate = 2; nocompress = true; compress = false; }; }; services.nginx.appendHttpConfig = '' access_log off; add_header Permissions-Policy "interest-cohort=()"; ''; programs.mosh.enable = true; }