nix-git/modules/ssh-server.nix

61 lines
2.0 KiB
Nix
Raw Normal View History

2023-09-16 12:14:53 +02:00
{ config, pkgs, ... }:
{
# Enable SSH server.
services.openssh = {
enable = true;
2023-09-23 18:36:27 +02:00
ports = (
2024-02-06 16:48:22 +01:00
if (config.networking.hostName == "yodaTux") || (config.networking.hostName == "yodaTab") || (config.networking.hostName == "yodaGaming")
2023-09-23 18:36:27 +02:00
then [22]
2023-09-23 19:15:54 +02:00
else if (config.networking.hostName == "yodaYoga")
2023-09-23 18:36:27 +02:00
then [2224]
2023-09-23 19:15:54 +02:00
else if (config.networking.hostName == "yodaNas")
2023-09-23 18:36:27 +02:00
then [2222]
2023-11-03 15:23:05 +01:00
else if (config.networking.hostName == "yodaHedgehog")
then [2226]
2023-09-23 18:36:27 +02:00
else throw "Please add ssh port here"
);
2024-09-28 22:20:48 +02:00
2023-09-17 15:34:38 +02:00
# Enabling this is required for commands such as sftp and sshfs.
allowSFTP = false;
2024-09-28 22:20:48 +02:00
# Only authentication method should be public key.
#
# https://man.archlinux.org/man/core/openssh/sshd_config.5.en#AuthenticationMethods
# - We change the default of AuthenticationMethods from `any` to `publickey`.
# - Furthermore, we explicitly PubkeyAuthentication to its default value `yes`.
#
# https://nixos.wiki/wiki/SSH_public_key_authentication#SSH_server_config
# Alternatively we could use
# settings.PasswordAuthentication = false;
# settings.KbdInteractiveAuthentication = false;
extraConfig = ''
AuthenticationMethods publickey
PubkeyAuthentication yes
'';
2024-09-28 22:20:48 +02:00
settings = {
2024-09-28 22:20:48 +02:00
#
# https://infosec.mozilla.org/guidelines/openssh
#
Macs = ["hmac-sha2-512-etm@openssh.com"];
Ciphers = ["chacha20-poly1305@openssh.com"];
# TODO Use 25519 instead of RSA key pairs
#KexAlgorithms = ["curve25519-sha256@libssh.org"];
};
2023-09-16 12:14:53 +02:00
};
2024-08-09 15:20:32 +02:00
# TODO replace authorizedKeys in all .nix files with authorizedKeyFiles
2023-09-16 12:14:53 +02:00
# SSH public key(s) allowed to connect via SSH.
2023-11-03 15:23:05 +01:00
users.users."yoda".openssh.authorizedKeys.keys = [
2023-09-17 16:45:02 +02:00
(builtins.readFile ../assets/ssh/nitrokey.pub)
];
2023-11-03 15:23:05 +01:00
users.users."root".openssh.authorizedKeys.keys = [
2023-09-17 16:45:02 +02:00
(builtins.readFile ../assets/ssh/nitrokey.pub)
2023-09-27 20:12:19 +02:00
] ++ (
if (config.networking.hostName == "yodaNas")
2023-11-18 13:01:18 +01:00
then [(builtins.readFile ../assets/ssh/hedgehog.pub)]
2023-09-27 20:12:19 +02:00
else []
);
2023-09-16 12:14:53 +02:00
}