From d655186dc03ebde81f50746b8dc18c81a95ef351 Mon Sep 17 00:00:00 2001
From: gwg313 <gwg313@pm.me>
Date: Sun, 4 Feb 2024 12:52:53 -0500
Subject: [PATCH] feat: add ssh guard

---
 common/nixos/ssh_guard.nix         | 12 ++++++++++++
 hosts/candlekeep/configuration.nix |  2 ++
 hosts/candlekeep/sysctl.nix        |  7 +++++++
 hosts/grymforge/configuration.nix  |  2 ++
 hosts/grymforge/sysctl.nix         |  7 +++++++
 5 files changed, 30 insertions(+)
 create mode 100644 common/nixos/ssh_guard.nix
 create mode 100644 hosts/candlekeep/sysctl.nix
 create mode 100644 hosts/grymforge/sysctl.nix

diff --git a/common/nixos/ssh_guard.nix b/common/nixos/ssh_guard.nix
new file mode 100644
index 0000000..9dcdfd4
--- /dev/null
+++ b/common/nixos/ssh_guard.nix
@@ -0,0 +1,12 @@
+{...}: {
+  services.sshguard = {
+    enable = true;
+    services = [
+      "sshd"
+    ];
+    blocktime = 120;
+    detection_time = 1800;
+    blacklist_threshold = 120;
+    blacklist_file = "/var/lib/sshguard/blacklist.db";
+  };
+}
diff --git a/hosts/candlekeep/configuration.nix b/hosts/candlekeep/configuration.nix
index 24da624..31e99d3 100644
--- a/hosts/candlekeep/configuration.nix
+++ b/hosts/candlekeep/configuration.nix
@@ -20,6 +20,7 @@
     ../../common/nixos/restic.nix
     ../../common/nixos/ssh.nix
     ../../common/nixos/ssh_client.nix
+    ../../common/nixos/ssh_guard.nix
     ../../common/gui/hyprland.nix
     ../../common/gui/thunar.nix
     ../../common/style/stylix.nix
@@ -30,6 +31,7 @@
 
     ./auditd.nix
     ./kernel.nix
+    ./sysctl.nix
     ./earlyoom.nix
 
     # Or modules from other flakes (such as nixos-hardware):
diff --git a/hosts/candlekeep/sysctl.nix b/hosts/candlekeep/sysctl.nix
new file mode 100644
index 0000000..c34f88a
--- /dev/null
+++ b/hosts/candlekeep/sysctl.nix
@@ -0,0 +1,7 @@
+{lib, ...}: {
+  boot.kernel.sysctl = {
+    # disable unprivileged user namespaces to decrease attack surface
+    # Enabled because breaks discord/element etc
+    "kernel.unprivileged_userns_clone" = lib.mkForce 1;
+  };
+}
diff --git a/hosts/grymforge/configuration.nix b/hosts/grymforge/configuration.nix
index 974b72a..29c16d3 100644
--- a/hosts/grymforge/configuration.nix
+++ b/hosts/grymforge/configuration.nix
@@ -19,6 +19,7 @@
     ../../common/nixos/restic.nix
     ../../common/nixos/ssh.nix
     ../../common/nixos/ssh_client.nix
+    ../../common/nixos/ssh_guard.nix
     ../../common/gui/hyprland.nix
     ../../common/gui/thunar.nix
     ../../common/style/stylix.nix
@@ -29,6 +30,7 @@
 
     ./auditd.nix
     ./kernel.nix
+    ./sysctl.nix
     ./earlyoom.nix
 
     # Or modules from other flakes (such as nixos-hardware):
diff --git a/hosts/grymforge/sysctl.nix b/hosts/grymforge/sysctl.nix
new file mode 100644
index 0000000..c34f88a
--- /dev/null
+++ b/hosts/grymforge/sysctl.nix
@@ -0,0 +1,7 @@
+{lib, ...}: {
+  boot.kernel.sysctl = {
+    # disable unprivileged user namespaces to decrease attack surface
+    # Enabled because breaks discord/element etc
+    "kernel.unprivileged_userns_clone" = lib.mkForce 1;
+  };
+}