From adce45481dc6b212bf9b78a5beeb1191c53bfe5e Mon Sep 17 00:00:00 2001
From: schererleander <leander@schererleander.de>
Date: Mon, 22 Sep 2025 00:23:49 +0200
Subject: feat: setup fail2ban, auditd

---
 hosts/sachiel/configuration.nix | 34 +++++++++++++++++++++++++++-------
 1 file changed, 27 insertions(+), 7 deletions(-)

(limited to 'hosts/sachiel')

diff --git a/hosts/sachiel/configuration.nix b/hosts/sachiel/configuration.nix
index c8c361e..3d87d26 100644
--- a/hosts/sachiel/configuration.nix
+++ b/hosts/sachiel/configuration.nix
@@ -55,6 +55,21 @@
     };
   };
 
+  services.fail2ban = {
+    enable = true;
+    jails = {
+      sshd = ''
+        enabled = true
+        port = 8693
+        filter = sshd
+        backend = systemd
+        maxretry = 4
+        findtime = 10m
+        bantime = 1h
+      '';
+    };
+  };
+
   services.openssh = {
     enable = true;
     ports = [ 8693 ];
@@ -98,8 +113,6 @@
       };
     };
     virtualHosts."cloud.schererleander.de" = {
-      sslCertificate = "/etc/ssl/certs/schererleander.fullchain.pem";
-      sslCertificateKey = "/etc/ssl/private/schererleander.key";
       forceSSL = true;
       enableACME = true;
     };
@@ -121,14 +134,21 @@
       maintenance_window_start = 2; # 02:00
       default_phone_region = "de";
       overwriteProtocol = "https";
+      trusted_domains = [ "cloud.schererleander.de" ];
+      logtimezone = "Europe/Berlin";
     };
   };
 
-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-    8693
-  ];
+  security.auditd.enable = true;
+
+  networking.firewall = {
+		allowPing = false;
+    allowedTCPPorts = [
+      80
+      443
+      8693
+    ];
+  };
 
   nix.settings.experimental-features = [
     "nix-command"
-- 
cgit v1.3.1