add sshd

3 files changed, 35 insertions, 1 deletions

diff --git a/files/keys/ssh.pub b/files/keys/ssh.pub
new file mode 100644
index 0000000..e2e88e8
--- /dev/null
+++ b/files/keys/ssh.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTZhIaet4Sxb9n7W/LJezqb5XmgAXWzjS907rUdeukq cardno:24_409_474
diff --git a/programs/ssh/default.nix b/programs/ssh/default.nix
index 4c9b418..b6ecb1d 100644
--- a/programs/ssh/default.nix
+++ b/programs/ssh/default.nix
@@ -3,10 +3,43 @@
   lib,
   ...
 }: {
+  # ssh config
   home-manager.users.${config.user} = {
     programs.ssh = {
       enable = true;
       extraConfig = lib.fileContents ./config;
     };
   };
+
+  # sshd
+  services.openssh = {
+    enable = true;
+    ports = [22];
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+      UseDns = true;
+      X11Forwarding = false;
+      PermitRootLogin = "no";
+    };
+  };
+
+  # allow ssh port
+  networking.firewall.allowedTCPPorts = [22];
+
+  # ban evil
+  services.fail2ban = {
+    enable = true;
+    ignoreIP = [
+      # freyanet
+      "10.0.0.0/14"
+    ];
+  };
+
+  # add authorized keys
+  users.users.${config.user} = {
+    openssh.authorizedKeys.keyFiles = [
+      ../../files/keys/ssh.pub
+    ];
+  };
 }
diff --git a/system/default.nix b/system/default.nix
index 49aa0cd..a026eb1 100644
--- a/system/default.nix
+++ b/system/default.nix
@@ -75,7 +75,7 @@
   # networking
   networking.networkmanager.enable = true;
   networking.networkmanager.dns = "systemd-resolved";
-  networking.firewall.enable = false;
+  networking.firewall.enable = true;
   services.resolved.enable = true;
 
   # hardware