41 lines
943 B
Nix
41 lines
943 B
Nix
{ config, lib, ... }:
|
|
let
|
|
cfg = config.custom.services.nixCacheServer;
|
|
in
|
|
{
|
|
options.custom.services.nixCacheServer.enable = lib.mkEnableOption "Nix SSH cache server";
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
sops.secrets.priv-cache-key.sopsFile = ../../secrets/ci.yaml;
|
|
|
|
nix = {
|
|
extraOptions = ''
|
|
secret-key-files = ${config.sops.secrets.priv-cache-key.path}
|
|
'';
|
|
|
|
sshServe = {
|
|
enable = true;
|
|
write = true;
|
|
keys = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKNhPvGogPY/O6kIqrpbz0EcK4L5QQShvD+vuyk7FxFd root@cert-store"
|
|
];
|
|
};
|
|
};
|
|
|
|
# Added because we are opening up SSH to the world
|
|
services.fail2ban = {
|
|
enable = true;
|
|
maxretry = 10;
|
|
bantime = "10m";
|
|
bantime-increment = {
|
|
enable = true;
|
|
maxtime = "1d";
|
|
};
|
|
jails = {
|
|
DEFAULT.settings = {
|
|
findtime = 3600;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|