dotfiles/nixos/server-security.nix

{ config, pkgs, ... }:
let
  authorizedKeys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEo4R+6J3h6Ix3xWpOMdU7Es1/YxFchHw0c+kcCOJxFb cyryl@foureighty"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDN/2C59i+ucvSa9FLCHlVPJp0zebLOcw0+hnBYwy0cY cyryl@skinnyv"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJwZ4M6lT2yzg8iarCzsLADAuXS4BUkLTt1+mKCECczk nix-builder@brix"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBDa2qAxpUEFeBYl2wlzDa/x37TAAy5pOBHv50OXUrV5 cyryl@thinky"
  ];
in {
  imports = [ ./security.nix ];
  security.acme.defaults.email = "admin@cyplo.dev";
  security.acme.acceptTerms = true;

  services.fail2ban.enable = true;

  services.openssh = {
    enable = true;
    settings = {
      PermitRootLogin = "prohibit-password";
      PasswordAuthentication = false;
    };
  };

  users.extraUsers.root.openssh.authorizedKeys.keys = authorizedKeys;
  users.users.nix-builder = {
    isNormalUser = true;
    openssh.authorizedKeys.keys = authorizedKeys;
  };

  nix.settings.trusted-users = [ "root" "nix-builder" ];
  nix.sshServe.enable = true;
  nix.sshServe.keys = authorizedKeys;
}