2022-11-29 17:07:45 +01:00
|
|
|
# An SSH server, using 'mosh'
|
|
|
|
|
{ config, lib, ... }:
|
|
|
|
|
let
|
|
|
|
|
cfg = config.my.services.ssh-server;
|
|
|
|
|
in
|
|
|
|
|
{
|
|
|
|
|
options.my.services.ssh-server = {
|
|
|
|
|
enable = lib.mkEnableOption "SSH Server using 'mosh'";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
|
|
|
services.openssh = {
|
|
|
|
|
# Enable the OpenSSH daemon.
|
|
|
|
|
enable = true;
|
|
|
|
|
# Be more secure
|
2023-09-02 18:01:33 +02:00
|
|
|
settings.PasswordAuthentication = false;
|
2022-11-29 17:07:45 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# Opens the relevant UDP ports.
|
|
|
|
|
programs.mosh.enable = true;
|
|
|
|
|
|
|
|
|
|
# WARNING: if you remove this, then you need to assign a password to your user, otherwise
|
|
|
|
|
# `sudo` won't work. You can do that either by using `passwd` after the first rebuild or
|
|
|
|
|
# by setting an hashed password in the `users.users.felix` block as `initialHashedPassword`.
|
2024-01-22 23:57:46 +01:00
|
|
|
# additionally needed for deployment
|
2022-11-29 17:07:45 +01:00
|
|
|
security.sudo.wheelNeedsPassword = false;
|
2023-05-21 20:23:20 +02:00
|
|
|
|
|
|
|
|
my.services.loki.rules = {
|
|
|
|
|
sshd_closed = {
|
2023-05-24 22:03:33 +02:00
|
|
|
condition = ''count_over_time({unit="sshd.service"} |~ "Connection closed by authenticating user" [15m]) > 25'';
|
2023-06-22 20:54:16 +02:00
|
|
|
description = "More then 25 users have tried logging in the last 15 min without success";
|
2023-05-21 20:23:20 +02:00
|
|
|
};
|
|
|
|
|
};
|
2022-11-29 17:07:45 +01:00
|
|
|
};
|
|
|
|
|
}
|
