diff --git a/AGENTS.md b/AGENTS.md index 8459aa8..fe0de1d 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -5,6 +5,7 @@ This document outlines the development conventions for this NixOS-based infrastr ## Build & Deployment - **Build/Deploy:** Use `nixos-rebuild switch --flake .#` to build and deploy the configuration for a specific host. +- **CRITICAL — Validate before pushing:** Always `nix build --no-link '.#nixosConfigurations..config.system.build.toplevel'` (or `nh os build`) and confirm it succeeds before pushing any changes. Never push untested NixOS configs. - **Development Shell:** Activate the development environment with `nix develop`. ## Linting & Formatting diff --git a/hosts/lazyworkhorse/configuration.nix b/hosts/lazyworkhorse/configuration.nix index 7a180f8..3963650 100644 --- a/hosts/lazyworkhorse/configuration.nix +++ b/hosts/lazyworkhorse/configuration.nix @@ -364,8 +364,8 @@ # SSH brute force protection (uses systemd journal backend) sshd = { enabled = true; - filter = "sshd"; settings = { + filter = "sshd"; port = "2424"; maxretry = 3; bantime = "1h"; @@ -375,8 +375,8 @@ # Recidive - ban repeat offenders for 1 week recidive = { enabled = true; - filter = "recidive"; settings = { + filter = "recidive"; logpath = "/var/log/fail2ban.log"; bantime = "1w"; findtime = "1d"; @@ -387,8 +387,8 @@ # HTTP authentication failures (Traefik) http-auth = { enabled = true; - filter = "traefik-auth"; settings = { + filter = "traefik-auth"; port = "80,443"; logpath = "/var/log/traefik/access.log"; maxretry = 5; @@ -399,8 +399,8 @@ # HTTP scanning/attacks (Traefik) http-botsearch = { enabled = true; - filter = "traefik-botsearch"; settings = { + filter = "traefik-botsearch"; port = "80,443"; logpath = "/var/log/traefik/access.log"; maxretry = 2;