diff options
| author | azahi <azat@bahawi.net> | 2025-03-12 20:17:13 +0300 |
|---|---|---|
| committer | azahi <azat@bahawi.net> | 2025-03-12 20:17:13 +0300 |
| commit | c81dc5a13b469c511fac6fa2390b70422d1b4da5 (patch) | |
| tree | 4dab5909006ab5c25da6bd9fde6a714c7719ded7 /modules/openssh.nix | |
| parent | 2025-02-17 (diff) | |
Diffstat (limited to 'modules/openssh.nix')
| -rw-r--r-- | modules/openssh.nix | 80 |
1 files changed, 37 insertions, 43 deletions
diff --git a/modules/openssh.nix b/modules/openssh.nix index d850322..12cb1fe 100644 --- a/modules/openssh.nix +++ b/modules/openssh.nix @@ -1,5 +1,6 @@ { config, + options, lib, pkgs, ... @@ -10,13 +11,14 @@ in { options.nixfiles.modules.openssh = { client.enable = lib.mkEnableOption "OpenSSH client"; + server = { enable = lib.mkEnableOption "OpenSSH server"; - port = lib.mkOption { - description = "OpenSSH server port."; - type = lib.types.port; - default = 22022; # Port 22 should be occupied by a tarpit. + ports = lib.mkOption { + description = "Ports."; + inherit (options.services.openssh.ports) type; + default = [ 22022 ]; # Port 22 should be occupied by a tarpit by default. }; }; }; @@ -36,48 +38,46 @@ in hashKnownHosts = true; controlMaster = "auto"; - controlPersist = "24H"; - controlPath = "~/.ssh/control/%r@%n:%p"; # The directory must exist. + controlPersist = "15m"; + controlPath = "${config.my.home}/.ssh/S.%r@%n:%p"; serverAliveCountMax = 30; serverAliveInterval = 60; matchBlocks = let - mkBlock = - name: - { - hostname ? name, - port ? 22022, # NOTE This is not the default OpenSSH port. - user ? lib.my.username, - identityFile ? "${config.my.home}/.ssh/${lib.my.username}_${lib.my.ssh.type}", - extraAttrs ? { }, - }: - lib.nameValuePair name ( - { - inherit - hostname - port - user - identityFile - ; + internalServers = + lib.my.configurations + |> lib.filterAttrs (_: attr: lib.hasAttr "wireguard" attr) + |> lib.mapAttrs ( + name: _: { + hostname = "${name}.${lib.my.domain.shire}"; } - // extraAttrs ); - - internalServers = lib.mapAttrs' mkBlock ( - lib.mapAttrs (name: _: { hostname = "${name}.${lib.my.domain.shire}"; }) ( - lib.filterAttrs (_: attr: lib.hasAttr "wireguard" attr && attr.isHeadless) lib.my.configurations - ) - ); in - internalServers - // (lib.mapAttrs' mkBlock { + { gitolite = { user = "git"; hostname = "git.${lib.my.domain.shire}"; }; - }); + } + |> lib.recursiveUpdate internalServers + |> lib.mapAttrs' ( + name: + { + hostname ? name, + port ? 22022, + user ? lib.my.username, + }: + lib.nameValuePair name { + inherit + hostname + port + user + ; + forwardAgent = true; + } + ); }; }; }) @@ -94,23 +94,17 @@ in services = { openssh = { enable = true; - ports = [ cfg.server.port ]; + inherit (cfg.server) ports; settings = { - ClientAliveCountMax = 3; - ClientAliveInterval = 60; - KbdInteractiveAuthentication = false; - MaxAuthTries = 3; PasswordAuthentication = false; - PermitRootLogin = lib.mkForce "no"; + PermitRootLogin = "no"; + StreamLocalBindUnlink = true; }; }; fail2ban.jails.sshd = { enabled = true; - settings = { - mode = "aggressive"; - inherit (cfg.server) port; - }; + settings.mode = "aggressive"; }; }; }) |