almost ready. now to harden

2025-11-04 11:30:34 +00:00 · 2025-11-04 11:30:34 +00:00 · e856c0dfb1
commit e856c0dfb1
parent 29cbf8b2d8
20 changed files with 539 additions and 58 deletions
--- a/system/configuration.nix
+++ b/system/configuration.nix
@ -1,13 +1,30 @@
-{pkgs, ...}: {
-  environment.systemPackages = with pkgs; [vim btop git alejandra statix deadnix];
+{pkgs, ...}:
+let updateScript = pkgs.writeShellScriptBin "rebuild" ''
+  #!/bin/sh
+  nixos-rebuild switch --flake /etc/nixos#distrust --impure
+'';
+in
+{
+  environment.systemPackages = with pkgs; [vim btop git alejandra statix deadnix] ++ [ updateScript ];

  nix.settings.experimental-features = ["nix-command" "flakes"];

  boot.tmp.cleanOnBoot = true;
  zramSwap.enable = true;
  networking.hostName = "distrust";
-  services.openssh.enable = true;
-  services.openssh.settings.PermitRootLogin = "yes";
+
+  services.openssh = {
+    enable = true;
+    settings.PermitRootLogin = "yes";
+    ports = [292];
+  };
+  services.fail2ban.enable = true;
+  services.endlessh = {
+    enable = true;
+    port = 22;
+    openFirewall = true;
+  };
+
  users.users.root.openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxah5pnxmk=P7HtwRsryDoAHZsDs5RcGP9IPCNg1KFe cardno;16-179-196"];
  system.stateVersion = "25.05";
 }