From a88204fbc9ddec3474186bc5a3f3c573ee787289 Mon Sep 17 00:00:00 2001
From: schererleander <leander@schererleander.de>
Date: Tue, 3 Feb 2026 17:55:59 +0100
Subject: refactor(module): simplify modules and integrate sops-nix

---
 modules/nixos/server/openssh/default.nix | 21 ++++++---------------
 1 file changed, 6 insertions(+), 15 deletions(-)

(limited to 'modules/nixos/server/openssh/default.nix')

diff --git a/modules/nixos/server/openssh/default.nix b/modules/nixos/server/openssh/default.nix
index 675ceaf..a56460d 100644
--- a/modules/nixos/server/openssh/default.nix
+++ b/modules/nixos/server/openssh/default.nix
@@ -5,38 +5,30 @@
 }:
 
 let
-  inherit (lib) mkEnableOption mkOption types mkIf;
+  inherit (lib) mkEnableOption mkIf;
   cfg = config.nx.server.openssh;
 in
 {
   options.nx.server.openssh = {
     enable = mkEnableOption "OpenSSH server";
-    port = mkOption {
-      description = "Port for openssh";
-      type = types.port;
-      default = 8693;
-    };
-    allowedUsers = mkOption {
-      description = "Users allowed to SSH";
-      type = types.listOf types.str;
-      default = [ ];
-    };
   };
 
   config = mkIf cfg.enable {
     services.openssh = {
       enable = true;
-      ports = [ cfg.port ];
+      ports = [ 8693 ];
       settings = {
         PasswordAuthentication = false;
-        AllowUsers = cfg.allowedUsers;
+        AllowUsers = [ ];
         X11Forwarding = false;
         PermitRootLogin = "yes";
       };
     };
-    networking.firewall.allowedTCPPorts = [ cfg.port ];
+    networking.firewall.allowedTCPPorts = [ 8693 ];
 
     services.fail2ban = {
+      enable = true;
+      bantime = "1h";
       jails = {
         sshd = {
           enabled = true;
@@ -45,7 +37,6 @@ in
             backend = "systemd";
             maxretry = 4;
             findtime = "10m";
-            bantime = "1h";
           };
         };
       };
-- 
cgit v1.3.1