diff options
author | Azat Bahawi <azat@bahawi.net> | 2024-04-21 02:15:42 +0300 |
---|---|---|
committer | Azat Bahawi <azat@bahawi.net> | 2024-04-21 02:15:42 +0300 |
commit | e6ed60548397627bf10f561f9438201dbba0a36e (patch) | |
tree | f9a84c5957d2cc4fcd148065ee9365a0c851ae1c /modules/openssh.nix | |
parent | 2024-04-18 (diff) |
2024-04-21
Diffstat (limited to '')
-rw-r--r-- | modules/openssh.nix | 119 |
1 files changed, 119 insertions, 0 deletions
diff --git a/modules/openssh.nix b/modules/openssh.nix new file mode 100644 index 0000000..5504521 --- /dev/null +++ b/modules/openssh.nix @@ -0,0 +1,119 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; +let + cfg = config.nixfiles.modules.openssh; +in +{ + options.nixfiles.modules.openssh = { + client.enable = mkEnableOption "OpenSSH client"; + server = { + enable = mkEnableOption "OpenSSH server"; + + port = mkOption { + description = "OpenSSH server port."; + type = types.port; + default = 22022; # Port 22 should be occupied by a tarpit. + }; + }; + }; + + config = mkMerge [ + (mkIf cfg.client.enable { + hm = { + home.packages = with pkgs; [ + mosh + sshfs + sshpass + ]; + + programs.ssh = { + enable = true; + + hashKnownHosts = true; + + controlMaster = "auto"; + controlPersist = "24H"; + + serverAliveCountMax = 30; + serverAliveInterval = 60; + + matchBlocks = + let + mkBlock = + name: + { + hostname ? name, + port ? 22022, # NOTE This is not the default OpenSSH port. + user ? my.username, + identityFile ? "${config.my.home}/.ssh/${my.username}_${my.ssh.type}", + extraAttrs ? { }, + }: + nameValuePair name ( + { + inherit + hostname + port + user + identityFile + ; + } + // extraAttrs + ); + + internalServers = mapAttrs' mkBlock ( + mapAttrs (name: _: { hostname = "${name}.${my.domain.shire}"; }) ( + filterAttrs (_: attr: hasAttr "wireguard" attr && attr.isHeadless) my.configurations + ) + ); + in + internalServers + // (mapAttrs' mkBlock { + gitolite = { + user = "git"; + hostname = "git.${my.domain.shire}"; + }; + }); + }; + }; + }) + (mkIf cfg.server.enable { + ark.files = [ + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + "/etc/ssh/ssh_host_rsa_key" + "/etc/ssh/ssh_host_rsa_key.pub" + ]; + + programs.mosh.enable = true; + + services = { + openssh = { + enable = true; + ports = [ cfg.server.port ]; + settings = { + ClientAliveCountMax = 3; + ClientAliveInterval = 60; + KbdInteractiveAuthentication = false; + LogLevel = if config.nixfiles.modules.fail2ban.enable then "VERBOSE" else "ERROR"; + MaxAuthTries = 3; + PasswordAuthentication = false; + PermitRootLogin = mkForce "no"; + }; + }; + + fail2ban.jails.sshd = { + enabled = true; + settings = { + mode = "aggressive"; + inherit (cfg.server) port; + }; + }; + }; + }) + ]; +} |