From c226c1bdb39a9bb86cc89bee99725ff9012d46f5 Mon Sep 17 00:00:00 2001
From: OCbwoy3 <ocbwoy3@ocbwoy3.dev>
Date: Fri, 24 Oct 2025 16:14:05 +0300
Subject: [PATCH] ssh: add security

---
 modules/nixos/programs.nix | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/modules/nixos/programs.nix b/modules/nixos/programs.nix
index 7dfa8f0..1d9ae1f 100644
--- a/modules/nixos/programs.nix
+++ b/modules/nixos/programs.nix
@@ -26,9 +26,24 @@
 		c-ares ffmpeg gtk3 http-parser libevent libvpx libxslt minizip nss re2 snappy libnotify libappindicator-gtk3
 	];
 
+	services.fail2ban = {
+		enable = true;
+		# Ban IP after 5 failures
+		maxretry = 5;
+		ignoreIP = [
+			"10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16"
+		];
+	};
+
 	services.openssh = {
 		enable = true;
 		ports = [ 22 ];
+		settings = {
+			PasswordAuthentication = false;
+			KbdInteractiveAuthentication = false;
+			PermitRootLogin = "no";
+			AllowUsers = [ "ocbwoy3" "git" ];
+		};
 		# fucks up ssh connections from iphone if you enable this
 		# settings = {
 		# 	KexAlgorithms = [ "curve25519-sha256@libssh.org" ];