{ config, lib, pkgs, ... }: with lib; let cfg = config.nixfiles.modules.openssh; in { options.nixfiles.modules.openssh = { client.enable = mkEnableOption "OpenSSH client"; server.enable = mkEnableOption "OpenSSH server"; }; config = let port = 22022; # Port 22 should be occupied by endlessh. in mkMerge [ (mkIf cfg.client.enable { hm = { home.packages = with pkgs; [mosh sshfs]; programs.ssh = { enable = true; hashKnownHosts = true; controlMaster = "auto"; controlPersist = "24H"; serverAliveCountMax = 30; serverAliveInterval = 60; matchBlocks = let mkBlock = name: { hostname ? name, port ? 22, user ? my.username, identityFile ? "${config.my.home}/.ssh/id_ed25519", extraAttrs ? {}, }: nameValuePair name ({inherit hostname port user identityFile;} // extraAttrs); internalServers = mapAttrs' mkBlock (mapAttrs (name: _: { hostname = "${name}.${my.domain.shire}"; inherit port; }) (filterAttrs (_: attr: hasAttr "wireguard" attr && attr.isHeadless) my.configurations)); in internalServers // (mapAttrs' mkBlock { gitolite = { user = "git"; hostname = "git.${my.domain.shire}"; inherit port; }; }); }; }; }) (mkIf cfg.server.enable { programs.mosh.enable = true; services = { openssh = { enable = true; ports = [port]; logLevel = "VERBOSE"; # Required by fail2ban. permitRootLogin = "no"; passwordAuthentication = false; }; fail2ban.jails.sshd = '' enabled = true mode = aggressive port = ${toString port} ''; }; }) ]; }