feat: extract some config into modules

2026-02-21 03:16:16 +01:00
parent 507a138cde
commit 2c0a4229b9
3 changed files with 102 additions and 0 deletions
--- a/modules/nixos/openssh.nix
+++ b/modules/nixos/openssh.nix
@@ -0,0 +1,30 @@
+{
+  lib,
+  config,
+  ...
+}:
+{
+  options = {
+    openssh = {
+      enable = lib.mkEnableOption "hardened SSH server";
+      port = lib.mkOption {
+        type = lib.types.port;
+        default = 22;
+        description = "SSH server port";
+      };
+    };
+  };
+
+  config = lib.mkIf config.openssh.enable {
+    services.openssh = {
+      enable = true;
+      ports = [ config.openssh.port ];
+      settings = {
+        PasswordAuthentication = false;
+        AllowUsers = null;
+        PermitRootLogin = "no";
+        StreamLocalBindUnlink = "yes";
+      };
+    };
+  };
+}