nixos/services/openssh.nix
2023-09-11 21:20:14 +02:00

42 lines
1.2 KiB
Nix

{
config,
lib,
fn,
...
}:
# For reference:
# https://infosec.mozilla.org/guidelines/openssh.html
# https://stribika.github.io/2015/01/04/secure-secure-shell.html
with lib;
mkIf (elem "openssh" config.machine.services) {
services.openssh = {
enable = true;
settings.KexAlgorithms = ["curve25519-sha256@libssh.org"];
sftpFlags = ["-f AUTHPRIV" "-l INFO"];
startWhenNeeded = false;
settings = {
KbdInteractiveAuthentication = false;
PasswordAuthentication = false;
PermitRootLogin = "no";
};
extraConfig = let
users =
concatMapStrings (user: "${user.name} ") config.machine.administrators
+ (optionalString config.services.gitea.enable (config.services.gitea.user + " "));
in ''
UsePAM no
AllowUsers ${users}
LogLevel VERBOSE
'';
};
# Add public keys to /etc/ssh/authorized_keys.d
# This replaces users.users.*.openssh.authorizedKeys.*
sops.secrets =
fn.sopsHelper
(user: "users/${user.name}/publicKey")
config.machine.administrators
(user: {
path = "/etc/ssh/authorized_keys.d/${user.name}";
mode = "444";
});
}