2023-01-30

author: Azat Bahawi <azat@bahawi.net> 2023-01-30 01:48:52 +0300
committer: Azat Bahawi <azat@bahawi.net> 2023-01-30 01:48:52 +0300
commit: e8dbb049452e014fe89df34cb8f29e7c21c37666 (patch)
tree: 8102c252877057fc5c1d5914b36cbb167927e153 /modules/nixos/openssh.nix
parent: 2023-01-05 (diff)
1 files changed, 24 insertions, 3 deletions
diff --git a/modules/nixos/openssh.nix b/modules/nixos/openssh.nix
index 36b85f8..0cd44bd 100644
--- a/modules/nixos/openssh.nix
+++ b/modules/nixos/openssh.nix
@@ -18,15 +18,36 @@ in {
   };
 
   config = mkIf cfg.server.enable {
+    # TODO Enable on a fresh system.
+    # ark = {
+    #   files = [
+    #     "/etc/ssh/ssh_host_ed25519_key"
+    #     "/etc/ssh/ssh_host_ed25519_key.pub"
+    #     "/etc/ssh/ssh_host_rsa_key"
+    #     "/etc/ssh/ssh_host_rsa_key.pub"
+    #   ];
+    #   directories = ["/etc/ssh/authorized_keys.d"];
+    # };
+
     programs.mosh.enable = true;
 
     services = {
       openssh = {
         enable = true;
         ports = [cfg.server.port];
-        logLevel = "VERBOSE"; # Required by fail2ban.
-        permitRootLogin = mkForce "no";
-        passwordAuthentication = false;
+        settings = {
+          AllowUsers = my.username;
+          ClientAliveCountMax = 3;
+          ClientAliveInterval = 60;
+          KbdInteractiveAuthentication = false;
+          LogLevel =
+            if config.nixfiles.modules.fail2ban.enable
+            then "VERBOSE"
+            else "ERROR";
+          MaxAuthTries = 3;
+          PasswordAuthentication = false;
+          PermitRootLogin = "no";
+        };
       };
 
       fail2ban.jails.sshd = ''
author	Azat Bahawi <azat@bahawi.net>	2023-01-30 01:48:52 +0300
committer	Azat Bahawi <azat@bahawi.net>	2023-01-30 01:48:52 +0300
commit	e8dbb049452e014fe89df34cb8f29e7c21c37666 (patch)
tree	8102c252877057fc5c1d5914b36cbb167927e153 /modules/nixos/openssh.nix
parent	2023-01-05 (diff)