bebop: Enable fail2ban and move SSH config to separate host-module

fail2ban bans IP addresses from re-attempting SSH logins after 5 retries. Local
network addresses are currently always allowed.

flake.nix

@@ -96,6 +96,7 @@
             ./hosts/bebop/syncthing.nix
             ./hosts/bebop/navidrome.nix
             ./hosts/bebop/pihole.nix
+            ./hosts/bebop/ssh.nix
 
             # User-specific config : Home-manager
             home-manager.nixosModules.home-manager

hosts/bebop/configuration.nix

@@ -51,13 +51,6 @@ in
     nix-direnv
   ];
 
-  programs.ssh.startAgent = true;
-  services.openssh = {
-    enable = true;
-    permitRootLogin = "prohibit-password";
-    passwordAuthentication = false;
-  };
-
   # Make sure dumb ssh-add is run on every interactive entry
   # Make no mistake, this is a hack. But until I find better solution, it works.
   programs.fish.interactiveShellInit = ''

hosts/bebop/ssh.nix

@@ -0,0 +1,23 @@
+{ config, ... }:
+
+{
+  programs.ssh.startAgent = true;
+  services = {
+    openssh = {
+      enable = true;
+      permitRootLogin = "prohibit-password";
+      passwordAuthentication = false;
+    };
+
+    fail2ban = {
+      enable = true;
+      maxretry = 5;
+      ignoreIP = [
+        "127.0.0.0/8"
+        "10.0.0.0/8"
+        "172.16.0.0/12"
+        "192.168.0.0/16"
+      ];
+    };
+  };
+}