From 4644a1803f30580c677f3c531bbbe96ef5206e81 Mon Sep 17 00:00:00 2001
From: Alejandro Soto <alejandro@34project.org>
Date: Wed, 30 Apr 2025 08:22:27 -0600
Subject: sys/auth/openssh: add PerSourcePenaltyExemptList

---
 sys/auth/openssh.nix | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'sys/auth')

diff --git a/sys/auth/openssh.nix b/sys/auth/openssh.nix
index 7ae9079..3e37c06 100644
--- a/sys/auth/openssh.nix
+++ b/sys/auth/openssh.nix
@@ -6,6 +6,8 @@ with lib; let
 
   port = if cfg.shiftPortNumber then 2234 else 22;
   restrict = cfg.restrictListen;
+
+  exemptList = config.services.fail2ban.ignoreIP;
 in
 {
   options.local.auth.openssh = {
@@ -100,9 +102,11 @@ in
       enable = true;
 
       ports = optional (restrict != null -> restrict.addresses != [ ]) port;
-      startWhenNeeded = !config.services.fail2ban.enable;
+      startWhenNeeded = mkDefault (!config.services.fail2ban.enable);
 
-      extraConfig = optionalString cfg.tunnel.enable ''
+      extraConfig = ''
+        PerSourcePenaltyExemptList ${concatStringsSep "," exemptList}
+      '' + optionalString cfg.tunnel.enable ''
         # User 'tunnel' has no password. Use PAM OATH
         # and connect with -N, forward with -R.
         Match User tunnel
-- 
cgit v1.2.3