modules/services/openssh.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

{
  flake.modules.nixos.openssh =
    {
      lib,
      ...
    }:
    {
      services.openssh = {
        enable = true;
        ports = [ 8693 ];
        settings = {
					AllowTcpForwarding = false;
					AllowAgentForwarding = false;
          PasswordAuthentication = false;
          X11Forwarding = false;
          PermitRootLogin = "yes";
        };
      };
      networking.firewall.allowedTCPPorts = [ 8693 ];

      services.fail2ban = {
        enable = true;
        bantime = lib.mkDefault "1h";
        jails = {
          sshd = {
            enabled = true;
            settings = {
              port = 8693;
              backend = "systemd";
              maxretry = 4;
              findtime = "10m";
            };
          };
        };
      };
    };
}