refactor

author: Freya Murphy <freya@freyacat.org> 2025-06-23 22:33:44 -0400
committer: Freya Murphy <freya@freyacat.org> 2025-06-23 22:33:44 -0400
commit: 328c741b1aac74020412e99e0dca7c728dbc92fa (patch)
tree: 461f4ebcd3252d542749a34668defd62de356c73 /system/sshd.nix
parent: removed unused packages (diff)
download: dotfiles-nix-328c741b1aac74020412e99e0dca7c728dbc92fa.tar.gz
dotfiles-nix-328c741b1aac74020412e99e0dca7c728dbc92fa.tar.bz2
dotfiles-nix-328c741b1aac74020412e99e0dca7c728dbc92fa.zip
1 files changed, 33 insertions, 0 deletions
diff --git a/system/sshd.nix b/system/sshd.nix
new file mode 100644
index 0000000..0e0f1a2
--- /dev/null
+++ b/system/sshd.nix
@@ -0,0 +1,33 @@
+{config, ...}: {
+  # sshd
+  services.openssh = {
+    enable = true;
+    ports = [22];
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+      UseDns = true;
+      X11Forwarding = false;
+      PermitRootLogin = "no";
+    };
+  };
+
+  # allow ssh port
+  networking.firewall.allowedTCPPorts = [22];
+
+  # ban evil
+  services.fail2ban = {
+    enable = true;
+    ignoreIP = [
+      # freyanet
+      "10.0.0.0/14"
+    ];
+  };
+
+  # add authorized keys
+  users.users.${config.user} = {
+    openssh.authorizedKeys.keyFiles = [
+      ../files/keys/ssh.pub
+    ];
+  };
+}
author	Freya Murphy <freya@freyacat.org>	2025-06-23 22:33:44 -0400
committer	Freya Murphy <freya@freyacat.org>	2025-06-23 22:33:44 -0400
commit	328c741b1aac74020412e99e0dca7c728dbc92fa (patch)
tree	461f4ebcd3252d542749a34668defd62de356c73 /system/sshd.nix
parent	removed unused packages (diff)
download	dotfiles-nix-328c741b1aac74020412e99e0dca7c728dbc92fa.tar.gz dotfiles-nix-328c741b1aac74020412e99e0dca7c728dbc92fa.tar.bz2 dotfiles-nix-328c741b1aac74020412e99e0dca7c728dbc92fa.zip