refactor ssh

This commit is contained in:
Daniel Langbein 2023-09-11 14:05:02 +02:00
parent c5f7b477c1
commit 9266c7f4da
Signed by: langfingaz
GPG Key ID: 6C47C753F0823002
5 changed files with 48 additions and 34 deletions

View File

@ -32,7 +32,8 @@ in
#../../modules/gnome-fractional-scaling.nix #../../modules/gnome-fractional-scaling.nix
../../modules/git.nix ../../modules/git.nix
../../modules/zsh.nix ../../modules/zsh.nix
../../modules/nitrokey-ssh-gpg.nix ../../modules/nitrokey-gpg-smartcard.nix
../../modules/ssh.nix
../../modules/firefox.nix ../../modules/firefox.nix
../../modules/thunderbird.nix ../../modules/thunderbird.nix
]; ];

View File

@ -32,7 +32,8 @@ in
../../modules/gnome-fractional-scaling.nix ../../modules/gnome-fractional-scaling.nix
../../modules/git.nix ../../modules/git.nix
../../modules/zsh.nix ../../modules/zsh.nix
../../modules/nitrokey-ssh-gpg.nix ../../modules/nitrokey-gpg-smartcard.nix
../../modules/ssh.nix
../../modules/firefox.nix ../../modules/firefox.nix
../../modules/thunderbird.nix ../../modules/thunderbird.nix
]; ];

View File

@ -83,10 +83,6 @@
users.users.yoda = { users.users.yoda = {
isNormalUser = true; isNormalUser = true;
description = "Yoda"; description = "Yoda";
# SSH public key(s) to connect via SSH
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCpgihAg8Qzu5q+AGXHLR7p+rrS1yB0KlZb/Y/EwZT15EhEtsUMqBMRiY0TdjKQU0broyygZnymccLmCXvihEgk3zk/hP8VEDmN5wmE2tRBPR4lSjo8E1R8N79G+gaFkwi93QYh57MsGfa9k4tvGrJy0yaD7GrPqtQf+IIuvV14WJQAqnikTdbFqRjk5JGearYLU7jSKa+9NmR7JQ9NExoyIPgmQ/pd0Xc2qt8k5UGfz3HM9MAmIVQ30whK6m1iYZ8nxEidHrfreQx8NOa7ujo4zQnV1NYvRUjObr/qyIhPU6DYLT2mVRNupQFKx6LI38O4U13heugUFqJ3zvog3aDsriFiv8jzJAJvWXx7Q3TqKhqiG9VTkwBw1NDbCAOXKiEdMfiCYbdCfpNgdepU75bMloJcSQQVUqoH2tQhSbwKLuRFgOnyaHpvWbieXBRcUnfG8gg4p4jqiwx5laweEeOIOD/i7G1Mjx7Dj2ctnT/ILat/xsf+Y0W4eJr3bc5L9ghgw6wsKbNSqwjFUCFcHcARK3gvSH+hO2/BpgMVoyvZjO5PNuUqfsZ7bIIs5cDdyB/ly3irKuaRz1+3x1x4gPgSiOcji7HxPwogzhPsyfoRLHNt9tJ5X4nF2Iz1M5RTJpbZCi6yEj+9Q85FVjD76BEWuZe18kRrwhuLf/XgKdF9tQ== openpgp:0xA8B75370"
];
extraGroups = [ "networkmanager" "wheel" ]; extraGroups = [ "networkmanager" "wheel" ];
packages = with pkgs; [ packages = with pkgs; [
# Nix dependency management. # Nix dependency management.

View File

@ -1,15 +1,6 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
# Enable SSH server.
services.openssh = {
enable = true;
# Forbid root login through SSH.
settings.PermitRootLogin = "no";
# Use authorized keys only.
settings.PasswordAuthentication = false;
};
# Use NitroKey USB smartcard with SSH. # Use NitroKey USB smartcard with SSH.
# https://nixos.wiki/wiki/Nitrokey # https://nixos.wiki/wiki/Nitrokey
@ -111,25 +102,6 @@
services.pcscd.enable = true; services.pcscd.enable = true;
home-manager.users.yoda = { osConfig, config, pkgs, ... }: { home-manager.users.yoda = { osConfig, config, pkgs, ... }: {
# SSH configuration.
programs.ssh = {
enable = true;
userKnownHostsFile = "~/.ssh/known_hosts ${../assets/ssh/known_hosts}";
matchBlocks = {
"nas" = {
hostname = "p1st.de";
user = "yoda";
port = 2222;
compression = true;
};
"rootnas" = {
hostname = "p1st.de";
user = "root";
port = 2222;
compression = true;
};
};
};
# GnuPG configuration. # GnuPG configuration.
# Examples: # Examples:
@ -156,5 +128,6 @@
} }
]; ];
}; };
}; };
} }

43
modules/ssh.nix Normal file
View File

@ -0,0 +1,43 @@
{ config, pkgs, ... }:
{
# Enable SSH server.
services.openssh = {
enable = true;
# Forbid root login through SSH.
settings.PermitRootLogin = "no";
# Use authorized keys only.
settings.PasswordAuthentication = false;
};
# SSH public key(s) allowed to connect via SSH.
users.users.yoda = {
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCpgihAg8Qzu5q+AGXHLR7p+rrS1yB0KlZb/Y/EwZT15EhEtsUMqBMRiY0TdjKQU0broyygZnymccLmCXvihEgk3zk/hP8VEDmN5wmE2tRBPR4lSjo8E1R8N79G+gaFkwi93QYh57MsGfa9k4tvGrJy0yaD7GrPqtQf+IIuvV14WJQAqnikTdbFqRjk5JGearYLU7jSKa+9NmR7JQ9NExoyIPgmQ/pd0Xc2qt8k5UGfz3HM9MAmIVQ30whK6m1iYZ8nxEidHrfreQx8NOa7ujo4zQnV1NYvRUjObr/qyIhPU6DYLT2mVRNupQFKx6LI38O4U13heugUFqJ3zvog3aDsriFiv8jzJAJvWXx7Q3TqKhqiG9VTkwBw1NDbCAOXKiEdMfiCYbdCfpNgdepU75bMloJcSQQVUqoH2tQhSbwKLuRFgOnyaHpvWbieXBRcUnfG8gg4p4jqiwx5laweEeOIOD/i7G1Mjx7Dj2ctnT/ILat/xsf+Y0W4eJr3bc5L9ghgw6wsKbNSqwjFUCFcHcARK3gvSH+hO2/BpgMVoyvZjO5PNuUqfsZ7bIIs5cDdyB/ly3irKuaRz1+3x1x4gPgSiOcji7HxPwogzhPsyfoRLHNt9tJ5X4nF2Iz1M5RTJpbZCi6yEj+9Q85FVjD76BEWuZe18kRrwhuLf/XgKdF9tQ== openpgp:0xA8B75370"
];
};
home-manager.users.yoda = { osConfig, config, pkgs, ... }: {
# SSH client configuration.
programs.ssh = {
enable = true;
userKnownHostsFile = "~/.ssh/known_hosts ${../assets/ssh/known_hosts}";
matchBlocks = {
"nas" = {
hostname = "p1st.de";
user = "yoda";
port = 2222;
compression = true;
};
"rootnas" = {
hostname = "p1st.de";
user = "root";
port = 2222;
compression = true;
};
};
};
};
}