diff options
| -rw-r--r-- | machines/nixos/x86_64-linux/do-rproxy/default.nix | 1 | ||||
| -rw-r--r-- | machines/nixos/x86_64-linux/synology-vm/default.nix | 1 | ||||
| -rw-r--r-- | profiles/core/ssh.nix | 19 | ||||
| -rw-r--r-- | profiles/server.nix | 4 |
4 files changed, 21 insertions, 4 deletions
diff --git a/machines/nixos/x86_64-linux/do-rproxy/default.nix b/machines/nixos/x86_64-linux/do-rproxy/default.nix index fb5ee88..705bd30 100644 --- a/machines/nixos/x86_64-linux/do-rproxy/default.nix +++ b/machines/nixos/x86_64-linux/do-rproxy/default.nix @@ -24,6 +24,7 @@ "${self}/profiles/disk/vm.nix" "${self}/profiles/server.nix" "${self}/profiles/core/locale.nix" + "${self}/profiles/core/ssh.nix" ]; disko.devices.disk.disk1.device = "/dev/vda"; diff --git a/machines/nixos/x86_64-linux/synology-vm/default.nix b/machines/nixos/x86_64-linux/synology-vm/default.nix index af9db27..e3122be 100644 --- a/machines/nixos/x86_64-linux/synology-vm/default.nix +++ b/machines/nixos/x86_64-linux/synology-vm/default.nix @@ -38,6 +38,7 @@ "${self}/profiles/server.nix" "${self}/profiles/git-server.nix" "${self}/profiles/core/locale.nix" + "${self}/profiles/core/ssh.nix" ]; # Use the systemd-boot EFI boot loader. diff --git a/profiles/core/ssh.nix b/profiles/core/ssh.nix new file mode 100644 index 0000000..f8c899a --- /dev/null +++ b/profiles/core/ssh.nix @@ -0,0 +1,19 @@ +{ lib, ... }: +{ + services.openssh = { + enable = lib.mkDefault true; + settings = { + PasswordAuthentication = lib.mkForce false; + KbdInteractiveAuthentication = lib.mkForce false; + + PermitRootLogin = lib.mkForce "prohibit-password"; + }; + openFirewall = lib.mkDefault true; + hostKeys = [ + { + path = "/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + ]; + }; +} diff --git a/profiles/server.nix b/profiles/server.nix index 49a0bc7..c91546d 100644 --- a/profiles/server.nix +++ b/profiles/server.nix @@ -45,10 +45,6 @@ "1.0.0.1#cloudflare-dns.com" ]; - services.openssh.enable = true; - services.openssh.settings.PasswordAuthentication = false; - services.openssh.settings.PermitRootLogin = "no"; - users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi" ]; |