my nix configs for my servers and desktop
nekomimi.pet
1{ config, lib, pkgs, modulesPath, inputs, ... }:
2{
3 imports = [
4 ./hardware.nix
5 ./secrets.nix
6
7 ../../common/system.nix
8 ../../common/users.nix
9 ../../common/services.nix
10
11 ../../host-secrets.nix
12 ];
13
14 boot = {
15 loader = {
16 systemd-boot.enable = true;
17 efi = {
18 canTouchEfiVariables = true;
19 efiSysMountPoint = "/boot";
20 };
21 };
22 initrd.systemd.enable = true;
23 };
24
25 system.stateVersion = "24.11";
26 nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
27
28 systemd.targets.multi-user.enable = true;
29
30 networking = {
31 hostName = "baal";
32 hostId = "aaaaaaaa";
33 networkmanager.enable = true;
34 };
35
36 services.fail2ban = {
37 enable = true;
38 # Ban IP after 5 failures
39 maxretry = 5;
40 ignoreIP = [
41 "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" "100.64.0.0/10"
42 ];
43 bantime = "24h"; # Ban IPs for one day on the first ban
44 bantime-increment = {
45 enable = true; # Enable increment of bantime after each violation
46 multipliers = "1 2 4 8 16 32 64";
47 maxtime = "168h"; # Do not ban for more than 1 week
48 overalljails = true; # Calculate the bantime based on all the violations
49 };
50 jails = {
51 apache-nohome-iptables.settings = {
52 # Block an IP address if it accesses a non-existent
53 # home directory more than 5 times in 10 minutes,
54 # since that indicates that it's scanning.
55 filter = "apache-nohome";
56 action = ''iptables-multiport[name=HTTP, port="http,https"]'';
57 logpath = "/var/log/httpd/error_log*";
58 backend = "auto";
59 findtime = 600;
60 bantime = 600;
61 maxretry = 5;
62 };
63 };
64 };
65
66 virtualisation.docker = {
67 enable = true;
68 enableOnBoot = true;
69 };
70
71 documentation.enable = false;
72}