add sshd

author: Freya Murphy <freya@freyacat.org> 2025-06-22 15:35:40 -0400
committer: Freya Murphy <freya@freyacat.org> 2025-06-22 15:35:40 -0400
commit: ebacb741a7f834bbd48c94b655136bd8f284ffd8 (patch)
tree: 2c42b9f9bc2dbb4ee2920bfdb2a3c0019ebb0b55 /programs
parent: add 10 bit color depth to shinji (diff)
download: dotfiles-nix-ebacb741a7f834bbd48c94b655136bd8f284ffd8.tar.gz
dotfiles-nix-ebacb741a7f834bbd48c94b655136bd8f284ffd8.tar.bz2
dotfiles-nix-ebacb741a7f834bbd48c94b655136bd8f284ffd8.zip
1 files changed, 33 insertions, 0 deletions
diff --git a/programs/ssh/default.nix b/programs/ssh/default.nix
index 4c9b418..b6ecb1d 100644
--- a/programs/ssh/default.nix
+++ b/programs/ssh/default.nix
@@ -3,10 +3,43 @@
   lib,
   ...
 }: {
+  # ssh config
   home-manager.users.${config.user} = {
     programs.ssh = {
       enable = true;
       extraConfig = lib.fileContents ./config;
     };
   };
+
+  # sshd
+  services.openssh = {
+    enable = true;
+    ports = [22];
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+      UseDns = true;
+      X11Forwarding = false;
+      PermitRootLogin = "no";
+    };
+  };
+
+  # allow ssh port
+  networking.firewall.allowedTCPPorts = [22];
+
+  # ban evil
+  services.fail2ban = {
+    enable = true;
+    ignoreIP = [
+      # freyanet
+      "10.0.0.0/14"
+    ];
+  };
+
+  # add authorized keys
+  users.users.${config.user} = {
+    openssh.authorizedKeys.keyFiles = [
+      ../../files/keys/ssh.pub
+    ];
+  };
 }
author	Freya Murphy <freya@freyacat.org>	2025-06-22 15:35:40 -0400
committer	Freya Murphy <freya@freyacat.org>	2025-06-22 15:35:40 -0400
commit	ebacb741a7f834bbd48c94b655136bd8f284ffd8 (patch)
tree	2c42b9f9bc2dbb4ee2920bfdb2a3c0019ebb0b55 /programs
parent	add 10 bit color depth to shinji (diff)
download	dotfiles-nix-ebacb741a7f834bbd48c94b655136bd8f284ffd8.tar.gz dotfiles-nix-ebacb741a7f834bbd48c94b655136bd8f284ffd8.tar.bz2 dotfiles-nix-ebacb741a7f834bbd48c94b655136bd8f284ffd8.zip