{ config, options, lib, pkgs, ... }: let cfg = config.nixfiles.modules.openssh; in { options.nixfiles.modules.openssh = { client.enable = lib.mkEnableOption "OpenSSH client"; server = { enable = lib.mkEnableOption "OpenSSH server"; ports = lib.mkOption { description = "Ports."; inherit (options.services.openssh.ports) type; default = [ 22022 ]; # Port 22 should be occupied by a tarpit by default. }; }; }; config = lib.mkMerge [ (lib.mkIf cfg.client.enable { hm = { home.packages = with pkgs; [ mosh sshfs sshpass ]; programs.ssh = { enable = true; hashKnownHosts = true; controlMaster = "auto"; controlPersist = "15m"; controlPath = "${config.my.home}/.ssh/S.%r@%n:%p"; serverAliveCountMax = 30; serverAliveInterval = 60; matchBlocks = let internalServers = lib.my.configurations |> lib.filterAttrs (_: attr: lib.hasAttr "wireguard" attr) |> lib.mapAttrs ( name: _: { hostname = "${name}.${lib.my.domain.shire}"; } ); in { gitolite = { user = "git"; hostname = "git.${lib.my.domain.shire}"; }; } |> lib.recursiveUpdate internalServers |> lib.mapAttrs' ( name: { hostname ? name, port ? 22022, user ? lib.my.username, }: lib.nameValuePair name { inherit hostname port user ; forwardAgent = true; } ); }; }; }) (lib.mkIf cfg.server.enable { ark.files = [ "/etc/ssh/ssh_host_ed25519_key" "/etc/ssh/ssh_host_ed25519_key.pub" "/etc/ssh/ssh_host_rsa_key" "/etc/ssh/ssh_host_rsa_key.pub" ]; programs.mosh.enable = true; services = { openssh = { enable = true; inherit (cfg.server) ports; settings = { PasswordAuthentication = false; PermitRootLogin = "no"; StreamLocalBindUnlink = true; }; }; fail2ban.jails.sshd = { enabled = true; settings.mode = "aggressive"; }; }; }) ]; }