From cb3eb1f0cc8c34d79fa1e1bf7f3326e8c5d99e6b Mon Sep 17 00:00:00 2001
From: Alejandro Soto <alejandro@34project.org>
Date: Mon, 19 May 2025 22:58:31 -0600
Subject: sys/auth/openssh: fix syntax error in sshd_config when
 PerSourcePenaltyExemptList is empty

---
 sys/auth/openssh.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'sys/auth')

diff --git a/sys/auth/openssh.nix b/sys/auth/openssh.nix
index 3e37c06..ca32979 100644
--- a/sys/auth/openssh.nix
+++ b/sys/auth/openssh.nix
@@ -7,7 +7,7 @@ with lib; let
   port = if cfg.shiftPortNumber then 2234 else 22;
   restrict = cfg.restrictListen;
 
-  exemptList = config.services.fail2ban.ignoreIP;
+  exemptList = optionals config.local.net.fail2ban.enable config.services.fail2ban.ignoreIP;
 in
 {
   options.local.auth.openssh = {
@@ -104,7 +104,7 @@ in
       ports = optional (restrict != null -> restrict.addresses != [ ]) port;
       startWhenNeeded = mkDefault (!config.services.fail2ban.enable);
 
-      extraConfig = ''
+      extraConfig = optionalString (exemptList != [ ]) ''
         PerSourcePenaltyExemptList ${concatStringsSep "," exemptList}
       '' + optionalString cfg.tunnel.enable ''
         # User 'tunnel' has no password. Use PAM OATH
-- 
cgit v1.2.3