sys/auth/openssh: add PerSourcePenaltyExemptList

author: Alejandro Soto <alejandro@34project.org> 2025-04-30 08:22:27 -0600
committer: Alejandro Soto <alejandro@34project.org> 2025-04-30 08:23:26 -0600
commit: 4644a1803f30580c677f3c531bbbe96ef5206e81 (patch)
tree: f37b33e71d6d3c3638e92a8a7e2f8f6115e14f34 /sys/auth/openssh.nix
parent: bd48c60838871dcf17899aa1f341914880104b6e (diff)
1 files changed, 6 insertions, 2 deletions
diff --git a/sys/auth/openssh.nix b/sys/auth/openssh.nix
index 7ae9079..3e37c06 100644
--- a/sys/auth/openssh.nix
+++ b/sys/auth/openssh.nix
@@ -6,6 +6,8 @@ with lib; let
 
   port = if cfg.shiftPortNumber then 2234 else 22;
   restrict = cfg.restrictListen;
+
+  exemptList = config.services.fail2ban.ignoreIP;
 in
 {
   options.local.auth.openssh = {
@@ -100,9 +102,11 @@ in
       enable = true;
 
       ports = optional (restrict != null -> restrict.addresses != [ ]) port;
-      startWhenNeeded = !config.services.fail2ban.enable;
+      startWhenNeeded = mkDefault (!config.services.fail2ban.enable);
 
-      extraConfig = optionalString cfg.tunnel.enable ''
+      extraConfig = ''
+        PerSourcePenaltyExemptList ${concatStringsSep "," exemptList}
+      '' + optionalString cfg.tunnel.enable ''
         # User 'tunnel' has no password. Use PAM OATH
         # and connect with -N, forward with -R.
         Match User tunnel
author	Alejandro Soto <alejandro@34project.org>	2025-04-30 08:22:27 -0600
committer	Alejandro Soto <alejandro@34project.org>	2025-04-30 08:23:26 -0600
commit	4644a1803f30580c677f3c531bbbe96ef5206e81 (patch)
tree	f37b33e71d6d3c3638e92a8a7e2f8f6115e14f34 /sys/auth/openssh.nix
parent	bd48c60838871dcf17899aa1f341914880104b6e (diff)