feat: add ssh guard

common/nixos/ssh_guard.nix

@@ -0,0 +1,12 @@
+{...}: {
+  services.sshguard = {
+    enable = true;
+    services = [
+      "sshd"
+    ];
+    blocktime = 120;
+    detection_time = 1800;
+    blacklist_threshold = 120;
+    blacklist_file = "/var/lib/sshguard/blacklist.db";
+  };
+}

hosts/candlekeep/configuration.nix

@@ -20,6 +20,7 @@
     ../../common/nixos/restic.nix
     ../../common/nixos/ssh.nix
     ../../common/nixos/ssh_client.nix
+    ../../common/nixos/ssh_guard.nix
     ../../common/gui/hyprland.nix
     ../../common/gui/thunar.nix
     ../../common/style/stylix.nix
@@ -30,6 +31,7 @@
 
     ./auditd.nix
     ./kernel.nix
+    ./sysctl.nix
     ./earlyoom.nix
 
     # Or modules from other flakes (such as nixos-hardware):

hosts/candlekeep/sysctl.nix

@@ -0,0 +1,7 @@
+{lib, ...}: {
+  boot.kernel.sysctl = {
+    # disable unprivileged user namespaces to decrease attack surface
+    # Enabled because breaks discord/element etc
+    "kernel.unprivileged_userns_clone" = lib.mkForce 1;
+  };
+}

hosts/grymforge/configuration.nix

@@ -19,6 +19,7 @@
     ../../common/nixos/restic.nix
     ../../common/nixos/ssh.nix
     ../../common/nixos/ssh_client.nix
+    ../../common/nixos/ssh_guard.nix
     ../../common/gui/hyprland.nix
     ../../common/gui/thunar.nix
     ../../common/style/stylix.nix
@@ -29,6 +30,7 @@
 
     ./auditd.nix
     ./kernel.nix
+    ./sysctl.nix
     ./earlyoom.nix
 
     # Or modules from other flakes (such as nixos-hardware):

hosts/grymforge/sysctl.nix

@@ -0,0 +1,7 @@
+{lib, ...}: {
+  boot.kernel.sysctl = {
+    # disable unprivileged user namespaces to decrease attack surface
+    # Enabled because breaks discord/element etc
+    "kernel.unprivileged_userns_clone" = lib.mkForce 1;
+  };
+}