Change varcila shell to zsh

Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
Increase fail2ban ban time on each attempt
2026-01-07 13:22:17 +01:00 · 2026-01-07 13:14:34 +01:00 · 2026-01-07 13:14:30 +01:00 · 2026-01-07 13:14:22 +01:00
2 changed files with 13 additions and 0 deletions
--- a/m/apex/configuration.nix
+++ b/m/apex/configuration.nix
@@ -57,6 +57,18 @@
    };
  };

+  services.fail2ban = {
+    enable = true;
+    maxretry = 5;
+    bantime-increment = {
+      enable = true; # Double ban time on each attack
+      maxtime = "7d"; # Ban up to a week
+    };
+  };
+
+  # Disable SSH login with password, allow only keypair
+  services.openssh.settings.PasswordAuthentication = false;
+
  networking.firewall = {
    extraCommands = ''
      # Blackhole BSC vulnerability scanner (OpenVAS) as it is spamming our
--- a/m/common/base/users.nix
+++ b/m/common/base/users.nix
@@ -139,6 +139,7 @@
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKGt0ESYxekBiHJQowmKpfdouw0hVm3N7tUMtAaeLejK vincent@varch"
        ];
+        shell = pkgs.zsh;
      };

      pmartin1 = {
Author	SHA1	Message	Date
Vincent A. Arcila	859eebda98	Change varcila shell to zsh All checks were successful CI / build:all (push) Successful in 59m37s Details CI / build:cross (push) Successful in 1h27m33s Details CI / build:cross (pull_request) Successful in 1h29m20s Details CI / build:all (pull_request) Successful in 1h29m22s Details Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>	2026-01-07 13:22:17 +01:00
Rodrigo Arias Mallo	c2a201b085	Increase fail2ban ban time on each attempt Some checks failed CI / build:all (push) Has been cancelled Details CI / build:cross (push) Has been cancelled Details CI / build:all (pull_request) Successful in 1h38m5s Details CI / build:cross (pull_request) Successful in 1h38m3s Details Reviewed-by: Aleix Boné <abonerib@bsc.es>	2026-01-07 13:14:34 +01:00
Rodrigo Arias Mallo	f921f0a4bd	Disable password login via SSH in apex Reviewed-by: Aleix Boné <abonerib@bsc.es>	2026-01-07 13:14:30 +01:00
Rodrigo Arias Mallo	aa16bfc0bc	Enable fail2ban in apex login node We are seeing a lot of failed attempts from the same IPs: apex% sudo journalctl -u sshd -b0 \| grep 'Failed password' \| wc -l 2441 Reviewed-by: Aleix Boné <abonerib@bsc.es>	2026-01-07 13:14:22 +01:00