blob: a41f0d672a5196368b8c82bba260126f4159b478 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
{
config,
lib,
pkgs,
...
}:
let
cfg = config.nixfiles.modules.openssh;
in
{
options.nixfiles.modules.openssh = {
client.enable = lib.mkEnableOption "OpenSSH client";
server = {
enable = lib.mkEnableOption "OpenSSH server";
port = lib.mkOption {
description = "OpenSSH server port.";
type = lib.types.port;
default = 22022; # Port 22 should be occupied by a tarpit.
};
};
};
config = lib.mkMerge [
(lib.mkIf cfg.client.enable {
hm = {
home.packages = with pkgs; [
mosh
sshfs
sshpass
];
programs.ssh = {
enable = true;
hashKnownHosts = true;
controlMaster = "auto";
controlPersist = "24H";
serverAliveCountMax = 30;
serverAliveInterval = 60;
matchBlocks =
let
mkBlock =
name:
{
hostname ? name,
port ? 22022, # NOTE This is not the default OpenSSH port.
user ? lib.my.username,
identityFile ? "${config.my.home}/.ssh/${lib.my.username}_${lib.my.ssh.type}",
extraAttrs ? { },
}:
lib.nameValuePair name (
{
inherit
hostname
port
user
identityFile
;
}
// extraAttrs
);
internalServers = lib.mapAttrs' mkBlock (
lib.mapAttrs (name: _: { hostname = "${name}.${lib.my.domain.shire}"; }) (
lib.filterAttrs (_: attr: lib.hasAttr "wireguard" attr && attr.isHeadless) lib.my.configurations
)
);
in
internalServers
// (lib.mapAttrs' mkBlock {
gitolite = {
user = "git";
hostname = "git.${lib.my.domain.shire}";
};
});
};
};
})
(lib.mkIf cfg.server.enable {
ark.files = [
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
];
programs.mosh.enable = true;
services = {
openssh = {
enable = true;
ports = [ cfg.server.port ];
settings = {
ClientAliveCountMax = 3;
ClientAliveInterval = 60;
KbdInteractiveAuthentication = false;
MaxAuthTries = 3;
PasswordAuthentication = false;
PermitRootLogin = lib.mkForce "no";
};
};
fail2ban.jails.sshd = {
enabled = true;
settings = {
mode = "aggressive";
inherit (cfg.server) port;
};
};
};
})
];
}
|
