Hello
So your config seems pretty good. For security reasons I would not make the firewall config public. With that you are giving away which ports you have open. Also not make your user config (especially your ssh-key) private. Also your root password should not be displayed in public even if it is hashed. Even if it is long and safe. Also blur out everything regarding ip adresses.
Get rid of the following in your public reoo:
firewall.enable = true;
firewall.allowedTCPPorts = [
80 # nginx http
443 # nginx https
3851 # ssh
];
};
users.users.www = {
isNormalUser = true;
home = "/var/www";
group = "www";
shell = pkgs.dash; # rrsync bash security issue
openssh.authorizedKeys.keys = [
# append only key
''command="${pkgs.rrsync}/bin/rrsync /var/www/homepage",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFky8zixRqFyQVNlykhWdt4gp1XMi2DATurTgWpuayu4''
];
};
system.activationScripts = {
scriptChrootJail = {
deps = [ "specialfs" ];
text = ''
mkdir -p /var/www/
mkdir -p /var/www/homepage
chmod 755 /var/www/
chmod 755 /var/www/homepage
chown root:root /var/www/
chown www:www /var/www/homepage
'';
};
};
users.users.behrn = {
isNormalUser = true;
extraGroups = [
"networkmanager"
"wheel"
"keys"
];
packages = with pkgs; [ ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIbUF1O0ajT8PFQeUyNsJJLjl5P6ByRKI+JlXR1apimR"
];
};
security.sudo.extraRules = [
{
users = [ "behrn" ];
commands = [
{
# needed for colmena
command = "ALL";
options = [ "NOPASSWD" ];
}
];
}
];
# ROOT
users.users.root.hashedPassword = "$y$j9T$gwUVzCIiyNDk5Ybtjtfep.$yaqYMsIBQMMj/5AS92p3WWkpIAuEdHp6T8YEh5ORjl/";
Either you delete those ore blur them out. These can be a massive security risk especially on a server and a public repo. When you aim for a repo for new users blur them out.
Also I would recommend you to use failtoban (Seen you already did, but you can decrease after how many times an IP address gets banned to something like 2-3) and maybe use appamour.
For some more info you can look there: