From 383989516c2dc14285f34e9a7c086c8dc1db759a Mon Sep 17 00:00:00 2001
From: Will Holdsworth <me@fi33.buzz>
Date: Mon, 9 Mar 2026 17:41:04 +1100
Subject: [PATCH] feat(openssh): reconfigure hardening based on nixos wiki
 reccomendations

---
 hosts/server/configuration.nix | 28 ++++++++++++++++------------
 1 file changed, 16 insertions(+), 12 deletions(-)

diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix
index 9593963..6df325b 100644
--- a/hosts/server/configuration.nix
+++ b/hosts/server/configuration.nix
@@ -42,18 +42,22 @@
   };
 
   # hardened openssh
-  services.openssh = {
-    allowSFTP = false;
-    extraConfig = ''
-      AllowTcpForwarding yes
-      X11Forwarding no
-      AllowAgentForwarding no
-      AllowStreamLocalForwarding no
-      AuthenticationMethods publickey
-    '';
-    settings = {
-      KbdInteractiveAuthentication = false;
-      PasswordAuthentication = false;
+  services = {
+    fail2ban.enable = true;
+    endlessh = {
+      enable = true;
+      port = 22;
+      openFirewall = true;
+    };
+    openssh = {
+      enable = true;
+      ports = [ 5011 ];
+      settings = {
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+        PermitRootLogin = "no";
+        AllowUsers = [ "srv" ];
+      };
     };
   };