about summary refs log tree commit diff
path: root/modules/nixos/openssh.nix
diff options
context:
space:
mode:
Diffstat (limited to 'modules/nixos/openssh.nix')
-rw-r--r--modules/nixos/openssh.nix27
1 files changed, 24 insertions, 3 deletions
diff --git a/modules/nixos/openssh.nix b/modules/nixos/openssh.nix
index 36b85f8..0cd44bd 100644
--- a/modules/nixos/openssh.nix
+++ b/modules/nixos/openssh.nix
@@ -18,15 +18,36 @@ in {
   };
 
   config = mkIf cfg.server.enable {
+    # TODO Enable on a fresh system.
+    # ark = {
+    #   files = [
+    #     "/etc/ssh/ssh_host_ed25519_key"
+    #     "/etc/ssh/ssh_host_ed25519_key.pub"
+    #     "/etc/ssh/ssh_host_rsa_key"
+    #     "/etc/ssh/ssh_host_rsa_key.pub"
+    #   ];
+    #   directories = ["/etc/ssh/authorized_keys.d"];
+    # };
+
     programs.mosh.enable = true;
 
     services = {
       openssh = {
         enable = true;
         ports = [cfg.server.port];
-        logLevel = "VERBOSE"; # Required by fail2ban.
-        permitRootLogin = mkForce "no";
-        passwordAuthentication = false;
+        settings = {
+          AllowUsers = my.username;
+          ClientAliveCountMax = 3;
+          ClientAliveInterval = 60;
+          KbdInteractiveAuthentication = false;
+          LogLevel =
+            if config.nixfiles.modules.fail2ban.enable
+            then "VERBOSE"
+            else "ERROR";
+          MaxAuthTries = 3;
+          PasswordAuthentication = false;
+          PermitRootLogin = "no";
+        };
       };
 
       fail2ban.jails.sshd = ''

Consider giving Nix/NixOS a try! <3