diff options
| author | Alejandro Soto <alejandro@34project.org> | 2025-04-30 08:22:27 -0600 |
|---|---|---|
| committer | Alejandro Soto <alejandro@34project.org> | 2025-04-30 08:23:26 -0600 |
| commit | 4644a1803f30580c677f3c531bbbe96ef5206e81 (patch) | |
| tree | f37b33e71d6d3c3638e92a8a7e2f8f6115e14f34 | |
| parent | bd48c60838871dcf17899aa1f341914880104b6e (diff) | |
sys/auth/openssh: add PerSourcePenaltyExemptList
| -rw-r--r-- | sys/auth/openssh.nix | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/sys/auth/openssh.nix b/sys/auth/openssh.nix index 7ae9079..3e37c06 100644 --- a/sys/auth/openssh.nix +++ b/sys/auth/openssh.nix @@ -6,6 +6,8 @@ with lib; let port = if cfg.shiftPortNumber then 2234 else 22; restrict = cfg.restrictListen; + + exemptList = config.services.fail2ban.ignoreIP; in { options.local.auth.openssh = { @@ -100,9 +102,11 @@ in enable = true; ports = optional (restrict != null -> restrict.addresses != [ ]) port; - startWhenNeeded = !config.services.fail2ban.enable; + startWhenNeeded = mkDefault (!config.services.fail2ban.enable); - extraConfig = optionalString cfg.tunnel.enable '' + extraConfig = '' + PerSourcePenaltyExemptList ${concatStringsSep "," exemptList} + '' + optionalString cfg.tunnel.enable '' # User 'tunnel' has no password. Use PAM OATH # and connect with -N, forward with -R. Match User tunnel |