nixos/hosts/bebop/ssh.nix

{ ... }:

{
  programs.ssh.startAgent = true;
  services = {
    openssh = {
      enable = true;
      openFirewall = true;
      settings = {
        PermitRootLogin = "prohibit-password";
        PasswordAuthentication = false;
        GatewayPorts = "yes";
        UseDns = true;
      };
      listenAddresses = [
        {
          addr = "0.0.0.0";
          port = 22;
        }
      ];
      banner = ''
        ___.         ___.
        \_ |__   ____\_ |__   ____ ______
         | __ \_/ __ \| __ \ /  _ \\____ \
         | \_\ \  ___/| \_\ (  <_> )  |_> >
         |___  /\___  >___  /\____/|   __/
             \/     \/    \/       |__|
      '';
    };

    fail2ban = {
      enable = true;
      maxretry = 5;
      ignoreIP = [
        "127.0.0.0/8"
        "10.0.0.0/8"
        "172.16.0.0/12"
        "192.168.0.0/16"
      ];
    };
  };
}