networking and security updates

hosts/falkenstein/default.nix

@@ -54,8 +54,6 @@
   # Enable the OpenSSH daemon.
   services.openssh = {
     enable = true;
-    # clean up the logs a bit
-    ports = [ 2222 ];
     settings.PasswordAuthentication = false;
   };
   programs.mosh.enable = true;

hosts/falkenstein/modules/fail2ban/default.nix

@@ -1,4 +1,4 @@
-{ ... }:
+{ lib, ... }:
 {
   services.fail2ban = {
     enable = true;
@@ -7,11 +7,15 @@
       enable = true;
     };
     jails = {
+      sshd = lib.mkForce ''
+        enabled = true
+        port = ssh
+        filter= sshd[mode=aggressive]
+      '';
       dovecot = ''
         enabled = true
         # aggressive mode add blocking for aborted connections
         filter = dovecot[mode=aggressive]
-        bantime = 10m
         maxretry = 3
       '';
       postfix = ''

hosts/falkenstein/modules/mail/default.nix

@@ -15,10 +15,9 @@ let
 in
 {
   networking.firewall.allowedTCPPorts = [
-    25 # insecure SMTP
-    465
-    587 # SMTP
-    993 # IMAP
+    25 # SMTP
+    465 # SUBMISSONS
+    993 # IMAPS
     4190 # sieve
   ];
   users.users.rouven = {

hosts/thinkpad/default.nix

@@ -56,6 +56,16 @@
     HibernateDelaySec=2h
   '';
 
+  services.mysql = {
+    enable = true;
+    package = pkgs.mariadb;
+    ensureUsers = [
+      {
+        name = "user1";
+      }
+    ];
+  };
+
   services.logind = {
     lidSwitch = "suspend-then-hibernate";
     lidSwitchDocked = "suspend-then-hibernate";

hosts/thinkpad/modules/networks/default.nix

@@ -41,7 +41,9 @@
     hostName = "thinkpad";
     hostId = "d8d34032";
     enableIPv6 = true;
-    firewall.allowedTCPPorts = [ 24727 ];
+    firewall = {
+      logRefusedConnections = false;
+    };
     wireless = {
       enable = true;
       userControlled.enable = true;

hosts/thinkpad/modules/sound/default.nix

@@ -9,5 +9,6 @@
   };
   environment.systemPackages = with pkgs; [
     qpwgraph
+    easyeffects
   ];
 }