feat(systems/optional/services; vars): add vars/networking, add openssh
This commit is contained in:
parent
dd35e66698
commit
b86fa030ec
|
@ -0,0 +1,42 @@
|
|||
{ lib, config, configVars, ... }:
|
||||
let
|
||||
sshPort = configVars.networking.sshPort;
|
||||
|
||||
# Sops needs access to the keys before the persist dirs are even mounted; so
|
||||
# just persisting the keys won't work, we must point at /persist
|
||||
hasOptinPersistence = false;
|
||||
in
|
||||
|
||||
{
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
ports = [ sshPort ];
|
||||
|
||||
settings = {
|
||||
# Harden
|
||||
PasswordAuthentication = false;
|
||||
PermitRootLogin = "no";
|
||||
# Automatically remove stale sockets
|
||||
StreamLocalBindUnlink = "yes";
|
||||
# Allow forwarding ports to everywhere
|
||||
GatewayPorts = "clientspecified";
|
||||
};
|
||||
|
||||
hostKeys = [{
|
||||
path = "${lib.optionalString hasOptinPersistence "/persist"}/etc/ssh/ssh_host_ed25519_key";
|
||||
type = "ed25519";
|
||||
}];
|
||||
# Fix LPE vulnerability with sudo use SSH_AUTH_SOCK: https://github.com/NixOS/nixpkgs/issues/31611
|
||||
authorizedKeysFiles = lib.mkForce [ "/etc/ssh/authorized_keys.d/%u" ];
|
||||
};
|
||||
# yubikey login / sudo
|
||||
# this potentially causes a security issue that we mitigated above
|
||||
security.pam = {
|
||||
sshAgentAuth.enable = true;
|
||||
services = {
|
||||
sudo.u2fAuth = true;
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ sshPort ];
|
||||
}
|
|
@ -1,9 +1,11 @@
|
|||
{ inputs, lib }:
|
||||
{
|
||||
networking = import ./networking.nix { inherit lib; };
|
||||
|
||||
username = "laozi";
|
||||
#domain = inputs.nix-secrets.domain;
|
||||
#userFullName = inputs.nix-secrets.full-name;
|
||||
#handle = "madmin";
|
||||
handle = "madmin";
|
||||
#userEmail = inputs.nix-secrets.user-email;
|
||||
#gitEmail = "madmin@noreply.codeberg.org";
|
||||
#workEmail = inputs.nix-secrets.work-email;
|
||||
|
|
|
@ -1,2 +1,4 @@
|
|||
{ ... }:
|
||||
{}
|
||||
{
|
||||
sshPort = 22;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue