summaryrefslogtreecommitdiff
path: root/common/headless.nix
blob: 14181efd1e80e783facc348f6e6de1ac217a8ade (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
{ config, lib, pkgs, ... }:

{
  imports = [ ./common.nix ];

  # environment.systemPackages = [ pkgs.kitty.terminfo ];

  networking.domain = lib.mkDefault "stuebinm.eu";

  nix.gc = {
    automatic = lib.mkDefault true;
    options = lib.mkDefault "--delete-older-than 14d";
  };

  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCTeuG1alKNNqoT2d5nUAlH0Otsk0NHM7nmkYC5Yfk8qcLsgY4v2dXlyrMzieajYgDjndEApgO3/S/V0EQGhvHc0UugC6LU84jHPwsgYVABRmFS74v/ww8NigaNIAevwWl+DxlnK4nnWdB1lo4xS69ooQdvoAjbubk16dP04LsAbH8Z+3cPB5WKAaayNx62DUwObzDSpztqCagCZzlqpwKG1UGJngrqEhk7B5Q0v9iCk91gqVkLSPllsB00+bqIimgkMVIZnoLLh7pcEgOvbG0yP2EG3ttDNN3jPpqE6mu+znfLq+ua/MwJy5hjmY5R54yPlcvFdsIU34jrdMCDvWqpV49VrLwVvkFN3lRZln/9eifkXXJciP4Ber3xEl8JltysV1PE5iJunWfbcOy0fwsYvBChDeyR5G3CLG2c25jKL9f1Iq95QBBMVYgIxq/dpGy0tjB+24w1JzsorvElsmz5etXLXCydLP07ic9PfSu1Wmwu7F0tweIk52x97sra6ePhtY+TTRffjjDz0DEho1bWDfrPV0xfPPAWXWTKYisVO4VVmMQsJbtXrfxUJbappM5vIXcJ+2JpT2Oh7Kiy3rjm+pd7rukgoCp7yN5z8v+2vuOfHqBuKUwlaRg/XNMyPrbnGGzVR1xzUuhwdOnjAyMmAr95Ne9hRBPwfVo2NR/ZZw=="
  ];

  services.openssh = {
    enable = true;
    settings = {
      PermitRootLogin = "prohibit-password";
      PasswordAuthentication = false;
    };
  };

  security.sudo.enable = false;


  security.acme = {
    acceptTerms = true;
    defaults.email = "stuebinm@disroot.org";
  };

  services.fail2ban = {
    enable = true;
    bantime-increment.enable = true;
    bantime-increment.overalljails = true;
    bantime-increment.maxtime = "1312m";
    maxretry = 20;
  };

  services.logrotate = {
    enable = true;
    # the nginx module does stuff here, which apparently no one tells anyone about
    settings.nginx = {
      rotate = 2;
      nocompress = true;
      compress = false;
    };
  };

  services.nginx.appendHttpConfig = ''
     access_log off;
     add_header Permissions-Policy "interest-cohort=()";
  '';
  programs.mosh.enable = true;

  documentation.enable = false;
  # documentation.man.enable = false;
}