derped/nixos
1
0
Fork 0
Code Releases Activity

Format project using nixfmt rfc candidate.

Browse source
This commit is contained in:
Kevin Baensch 2024-11-20 20:32:38 +01:00
parent 1f63817684
commit a9f7fe416f
Signed by: derped
GPG key ID: C0F1D326C7626543
91 changed files with 1347 additions and 1000 deletions
Download patch file Download diff file Expand all files Collapse all files

45
services/openssh.nix
View file

@ -8,35 +8,38 @@
# https://infosec.mozilla.org/guidelines/openssh.html
# https://stribika.github.io/2015/01/04/secure-secure-shell.html
with lib;
mkIf (elem "openssh" config.machine.services) {
services.openssh = {
enable = true;
settings.KexAlgorithms = ["curve25519-sha256@libssh.org"];
sftpFlags = ["-f AUTHPRIV" "-l INFO"];
startWhenNeeded = false;
settings = {
KbdInteractiveAuthentication = false;
PasswordAuthentication = false;
PermitRootLogin = "no";
};
extraConfig = let
mkIf (elem "openssh" config.machine.services) {
services.openssh = {
enable = true;
settings.KexAlgorithms = [ "curve25519-sha256@libssh.org" ];
sftpFlags = [
"-f AUTHPRIV"
"-l INFO"
];
startWhenNeeded = false;
settings = {
KbdInteractiveAuthentication = false;
PasswordAuthentication = false;
PermitRootLogin = "no";
};
extraConfig =
let
users =
concatMapStrings (user: "${user.name} ") config.machine.administrators
+ (optionalString config.services.forgejo.enable (config.services.forgejo.user + " "));
in ''
in
''
UsePAM no
AllowUsers ${users}
LogLevel VERBOSE
'';
};
# Add public keys to /etc/ssh/authorized_keys.d
# This replaces users.users.*.openssh.authorizedKeys.*
sops.secrets =
fn.sopsHelper
(user: "users/${user.name}/publicKey")
config.machine.administrators
};
# Add public keys to /etc/ssh/authorized_keys.d
# This replaces users.users.*.openssh.authorizedKeys.*
sops.secrets =
fn.sopsHelper (user: "users/${user.name}/publicKey") config.machine.administrators
(user: {
path = "/etc/ssh/authorized_keys.d/${user.name}";
mode = "444";
});
}
}