2023-09-11 20:23:04 +02:00
|
|
|
{
|
|
|
|
config,
|
|
|
|
lib,
|
|
|
|
fn,
|
|
|
|
...
|
|
|
|
}:
|
2019-02-26 14:10:58 +01:00
|
|
|
# For reference:
|
|
|
|
# https://infosec.mozilla.org/guidelines/openssh.html
|
|
|
|
# https://stribika.github.io/2015/01/04/secure-secure-shell.html
|
2019-03-20 02:57:59 +01:00
|
|
|
with lib;
|
2024-11-20 20:32:38 +01:00
|
|
|
mkIf (elem "openssh" config.machine.services) {
|
|
|
|
services.openssh = {
|
|
|
|
enable = true;
|
|
|
|
settings.KexAlgorithms = [ "curve25519-sha256@libssh.org" ];
|
|
|
|
sftpFlags = [
|
|
|
|
"-f AUTHPRIV"
|
|
|
|
"-l INFO"
|
|
|
|
];
|
|
|
|
startWhenNeeded = false;
|
|
|
|
settings = {
|
|
|
|
KbdInteractiveAuthentication = false;
|
|
|
|
PasswordAuthentication = false;
|
|
|
|
PermitRootLogin = "no";
|
|
|
|
};
|
|
|
|
extraConfig =
|
|
|
|
let
|
2023-09-11 20:23:04 +02:00
|
|
|
users =
|
|
|
|
concatMapStrings (user: "${user.name} ") config.machine.administrators
|
2024-05-09 12:41:24 +02:00
|
|
|
+ (optionalString config.services.forgejo.enable (config.services.forgejo.user + " "));
|
2024-11-20 20:32:38 +01:00
|
|
|
in
|
|
|
|
''
|
2019-03-24 22:55:17 +01:00
|
|
|
UsePAM no
|
2019-06-26 00:33:04 +02:00
|
|
|
AllowUsers ${users}
|
2019-03-24 22:55:17 +01:00
|
|
|
LogLevel VERBOSE
|
2023-09-11 20:23:04 +02:00
|
|
|
'';
|
2024-11-20 20:32:38 +01:00
|
|
|
};
|
|
|
|
# Add public keys to /etc/ssh/authorized_keys.d
|
|
|
|
# This replaces users.users.*.openssh.authorizedKeys.*
|
|
|
|
sops.secrets =
|
|
|
|
fn.sopsHelper (user: "users/${user.name}/publicKey") config.machine.administrators
|
2023-09-11 20:23:04 +02:00
|
|
|
(user: {
|
|
|
|
path = "/etc/ssh/authorized_keys.d/${user.name}";
|
|
|
|
mode = "444";
|
2023-09-11 21:20:14 +02:00
|
|
|
});
|
2024-11-20 20:32:38 +01:00
|
|
|
}
|