sshguard is now optional

2023-09-14 06:41:16 +03:00
parent f34af96bc4
commit 85917635fd
7 changed files with 8 additions and 4 deletions
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -16,6 +16,7 @@
    ./nsd-acme
    ./postfix
    ./snmp_exporter
+    ./sshguard
    ./syncthing
    ./zfsunlock
  ];
--- a/modules/services/sshguard/default.nix
+++ b/modules/services/sshguard/default.nix
@@ -0,0 +1,23 @@
+{
+  config,
+  lib,
+  myData,
+  ...
+}: {
+  options.mj.services.sshguard = with lib.types; {
+    enable = lib.mkOption {
+      type = bool;
+      default = false;
+    };
+  };
+
+  config = lib.mkIf config.mj.services.sshguard.enable {
+    services.sshguard = {
+      enable = true;
+      blocktime = 900;
+      whitelist =
+        ["192.168.0.0/16" myData.subnets.tailscale.cidr]
+        ++ (lib.catAttrs "publicIP" (lib.attrValues myData.hosts));
+    };
+  };
+}