3 files changed, 48 insertions, 63 deletions

diff --git a/system/default.nix b/system/default.nix
index a026eb1..4695ea6 100644
--- a/system/default.nix
+++ b/system/default.nix
@@ -4,6 +4,11 @@
   pkgs,
   ...
 }: {
+  imports = [
+    ./hardware.nix
+    ./sshd.nix
+  ];
+
   # allow flakes
   nix.settings.experimental-features = ["nix-command" "flakes"];
 
@@ -121,15 +126,11 @@
     openFirewall = true;
   };
 
-  # docker
-  virtualisation.docker.enable = true;
-  virtualisation.docker.storageDriver = "btrfs";
-
   # create user account
   users.users.${config.user} = {
     isNormalUser = true;
     description = config.fullName;
-    extraGroups = ["networkmanager" "wheel" "sys" "video" "audio" "docker" "libvirtd"];
+    extraGroups = ["networkmanager" "wheel" "sys" "video" "audio"];
     home = config.homePath;
     shell = pkgs.zsh;
   };
@@ -139,62 +140,4 @@
     ../files/certs/freyanet.crt
     ../files/certs/tinternet.crt
   ];
-
-  # mime
-  environment.pathsToLink = [
-    "/share/mime"
-  ];
-
-  # fonts
-  fonts.packages =
-    (with pkgs; [
-      corefonts
-      dejavu_fonts
-      fira-code
-      fira-code-symbols
-      jetbrains-mono
-      material-icons
-      nerd-fonts.fira-code
-      noto-fonts
-      noto-fonts-cjk-sans
-      noto-fonts-emoji
-      twemoji-color-font
-      vistafonts
-    ])
-    ++ (with inputs.apple-fonts.packages.${pkgs.system}; [
-      sf-pro
-      sf-mono
-      sf-compact
-    ]);
-
-  fonts.fontconfig = {
-    enable = true;
-    defaultFonts = {
-      serif = [
-        "Twemoji"
-        "DejaVu Serif"
-      ];
-      sansSerif = [
-        "Twemoji"
-        "DejaVu Sans"
-      ];
-      monospace = [
-        "Fira Code"
-        "FiraCode Nerd Font Mono"
-        "Font Awesome 6 Pro Regular"
-        "Twemoji"
-        "DejaVu Sans Mono"
-      ];
-      emoji = [
-        "Twemoji"
-        "Noto Color Emoji"
-      ];
-    };
-  };
-
-  # vms
-  programs.virt-manager.enable = true;
-  users.groups.libvirtd.members = [config.user];
-  virtualisation.libvirtd.enable = true;
-  virtualisation.spiceUSBRedirection.enable = true;
 }
diff --git a/system/hardware.nix b/system/hardware.nix
new file mode 100644
index 0000000..853a6cc
--- /dev/null
+++ b/system/hardware.nix
@@ -0,0 +1,9 @@
+{pkgs, ...}: {
+  # yubikey support
+  services = {
+    pcscd.enable = true;
+    udev.packages = with pkgs; [
+      yubikey-personalization
+    ];
+  };
+}
diff --git a/system/sshd.nix b/system/sshd.nix
new file mode 100644
index 0000000..0e0f1a2
--- /dev/null
+++ b/system/sshd.nix
@@ -0,0 +1,33 @@
+{config, ...}: {
+  # sshd
+  services.openssh = {
+    enable = true;
+    ports = [22];
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+      UseDns = true;
+      X11Forwarding = false;
+      PermitRootLogin = "no";
+    };
+  };
+
+  # allow ssh port
+  networking.firewall.allowedTCPPorts = [22];
+
+  # ban evil
+  services.fail2ban = {
+    enable = true;
+    ignoreIP = [
+      # freyanet
+      "10.0.0.0/14"
+    ];
+  };
+
+  # add authorized keys
+  users.users.${config.user} = {
+    openssh.authorizedKeys.keyFiles = [
+      ../files/keys/ssh.pub
+    ];
+  };
+}