wildfire: 324 current 2025-06-24 18:09:13 25.05.20250620.b2485d5 6.15.3 *
SSH, fail2ban, aliases
This commit is contained in:
@ -40,6 +40,7 @@
|
||||
./home/vim.nix # Vim config
|
||||
./home/hyprsunset.nix # Hyprsunset night mode
|
||||
./home/btop.nix # Btop config
|
||||
./home/ssh.nix # SSH config
|
||||
];
|
||||
};
|
||||
|
||||
@ -80,13 +81,6 @@
|
||||
firewall.enable = true;
|
||||
};
|
||||
|
||||
# ================================
|
||||
# SECURITY HARDENING
|
||||
# ================================
|
||||
# Disable core dumps to prevent potential security exploits
|
||||
# and improve system performance during crashes
|
||||
systemd.coredump.enable = false;
|
||||
|
||||
# ================================
|
||||
# LOCALIZATION
|
||||
# ================================
|
||||
@ -141,7 +135,7 @@
|
||||
};
|
||||
|
||||
# ================================
|
||||
# SECURITY & PERMISSIONS
|
||||
# PERMISSIONS
|
||||
# ================================
|
||||
# Enable real-time scheduling for audio applications (low-latency audio)
|
||||
security.rtkit.enable = true;
|
||||
@ -198,8 +192,27 @@
|
||||
};
|
||||
|
||||
# ================================
|
||||
# SANDBOXED APPLICATIONS
|
||||
# SECURITY HARDENING
|
||||
# ================================
|
||||
# Enable fail2ban for brute force protection
|
||||
services.fail2ban = {
|
||||
enable = true;
|
||||
# Ban IP after 3 failures
|
||||
maxretry = 3;
|
||||
bantime = "1h"; # Ban IPs for one hour on the first ban
|
||||
bantime-increment = {
|
||||
enable = true; # Enable increment of bantime after each violation
|
||||
multipliers = "1 2 4 8 16 32 64";
|
||||
maxtime = "168h"; # Do not ban for more than 1 week
|
||||
overalljails = true; # Calculate the bantime based on all the violations
|
||||
};
|
||||
};
|
||||
|
||||
# Disable core dumps to prevent potential security exploits
|
||||
# and improve system performance during crashes
|
||||
systemd.coredump.enable = false;
|
||||
|
||||
# SANDBOXED APPLICATIONS
|
||||
# Enable Firejail for application sandboxing (security)
|
||||
programs.firejail = {
|
||||
enable = true;
|
||||
@ -237,9 +250,7 @@
|
||||
'';
|
||||
};
|
||||
|
||||
# ================================
|
||||
# HARDWARE SECURITY (YUBIKEY)
|
||||
# ================================
|
||||
# Enable Yubikey support for SSH and GPG
|
||||
services.yubikey-agent.enable = true;
|
||||
# Enable U2F authentication for login
|
||||
|
79
modules/home/ssh.nix
Normal file
79
modules/home/ssh.nix
Normal file
@ -0,0 +1,79 @@
|
||||
{
|
||||
programs.ssh = {
|
||||
enable = true;
|
||||
serverAliveInterval = 60;
|
||||
serverAliveCountMax = 2;
|
||||
|
||||
matchBlocks = {
|
||||
"d10.csb.brainmill.com" = {
|
||||
forwardAgent = true;
|
||||
port = 22;
|
||||
};
|
||||
"prod-admin-jump1.infra.csbnet.se" = {
|
||||
forwardAgent = true;
|
||||
port = 22;
|
||||
};
|
||||
"prod-jump-got1.infra.brainmill.com" = {
|
||||
forwardAgent = true;
|
||||
port = 22;
|
||||
};
|
||||
"sw-fys-kt11-serv1.net.chsfg.se" = {
|
||||
hostname = "10.2.13.10";
|
||||
};
|
||||
"sw-fys-kt11-kansli1.net.chsfg.se" = {
|
||||
hostname = "10.2.13.11";
|
||||
};
|
||||
"sw-fys-kt11-kansli2.net.chsfg.se" = {
|
||||
hostname = "10.2.13.12";
|
||||
};
|
||||
"sw-fys-kt11-reception1.net.chsfg.se" = {
|
||||
hostname = "10.2.13.13";
|
||||
};
|
||||
"sw-fys-kt11-reception2.net.chsfg.se" = {
|
||||
hostname = "10.2.13.14";
|
||||
};
|
||||
"sw-fys-gg39-kom.net.chsfg.se" = {
|
||||
hostname = "10.1.13.10";
|
||||
};
|
||||
"sw-fys-gg39-skap.net.chsfg.se" = {
|
||||
hostname = "10.1.13.11";
|
||||
};
|
||||
"sw-fys-ev1.net.chsfg.se" = {
|
||||
hostname = "10.62.13.10";
|
||||
};
|
||||
"192.168.10.20" = {
|
||||
hostname = "192.168.10.20";
|
||||
user = "manager";
|
||||
};
|
||||
"192.168.10.50" = {
|
||||
hostname = "192.168.10.50";
|
||||
};
|
||||
"gw1.net.chsfg.se" = {
|
||||
forwardAgent = true;
|
||||
hostname = "2a02:9a0:fffe:4::3";
|
||||
};
|
||||
"gw2.net.chsfg.se" = {
|
||||
forwardAgent = true;
|
||||
hostname = "2a02:9a0:fffe:4::5";
|
||||
};
|
||||
"cv11-stor-gw.net.chsfg.se" = {
|
||||
proxyCommand = "ssh prod-admin-jump1.infra.csbnet.se /bin/nc %h 22";
|
||||
hostname = "176.10.244.136";
|
||||
user = "root";
|
||||
port = 8822;
|
||||
};
|
||||
"tp2-core1.net.chsfg.se" = {
|
||||
hostname = "192.168.10.52";
|
||||
user = "nvg";
|
||||
};
|
||||
"gw-shg9d-ctk.net.chsfg.se" = {
|
||||
hostname = "83.218.70.146";
|
||||
user = "admin";
|
||||
};
|
||||
"lp5-core1.net.chsfg.se" = {
|
||||
hostname = "192.168.10.51";
|
||||
user = "nvg";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
@ -108,12 +108,12 @@ in {
|
||||
"....." = "cd ../../../../";
|
||||
|
||||
# Work aliases
|
||||
"csb_jump" = "ssh -A prod-admin-jump1.infra.csbnet.se";
|
||||
"csb_proxmox" = "ssh -A -L1337:172.18.200.21:8006 prod-admin-jump1.infra.csbnet.se";
|
||||
"csb_ups1" = "ssh -A -L1338:172.18.79.1:80 prod-admin-jump1.infra.csbnet.se";
|
||||
"csb_ups2" = "ssh -A -L1339:172.18.79.3:80 prod-admin-jump1.infra.csbnet.se";
|
||||
"neanet_jump" = "ssh -A prod-jump-got1.infra.brainmill.com";
|
||||
"neanet_proxmox" = "ssh -A -L1338:[2a09:2681:ffff:13::104]:8006 prod-jump-got1.infra.brainmill.com";
|
||||
"jumpc" = "ssh prod-admin-jump1.infra.csbnet.se";
|
||||
"proxc" = "ssh -L1337:172.18.200.21:8006 prod-admin-jump1.infra.csbnet.se";
|
||||
"jumpn" = "ssh prod-jump-got1.infra.brainmill.com";
|
||||
"proxmoxn" = "ssh -L1338:[2a09:2681:ffff:13::104]:8006 prod-jump-got1.infra.brainmill.com";
|
||||
"ups1c" = "ssh -L1339:172.18.79.1:80 prod-admin-jump1.infra.csbnet.se";
|
||||
"ups2c" = "ssh -L1340:172.18.79.3:80 prod-admin-jump1.infra.csbnet.se";
|
||||
};
|
||||
shellAbbrs = {
|
||||
"cp" = "cp -v";
|
||||
|
Reference in New Issue
Block a user