{ config, pkgs, ... }: { # Enable SSH server. services.openssh = { enable = true; ports = ( if (config.networking.hostName == "yodaTux") || (config.networking.hostName == "yodaTab") || (config.networking.hostName == "yodaGaming") then [22] else if (config.networking.hostName == "yodaYoga") then [2224] else if (config.networking.hostName == "yodaNas") then [2222] else if (config.networking.hostName == "yodaHedgehog") then [2226] else throw "Please add ssh port here" ); # Enabling this is required for commands such as sftp and sshfs. allowSFTP = false; # Only authentication method should be public key. # # https://man.archlinux.org/man/core/openssh/sshd_config.5.en#AuthenticationMethods # - We change the default of AuthenticationMethods from `any` to `publickey`. # - Furthermore, we explicitly PubkeyAuthentication to its default value `yes`. # # https://nixos.wiki/wiki/SSH_public_key_authentication#SSH_server_config # Alternatively we could use # settings.PasswordAuthentication = false; # settings.KbdInteractiveAuthentication = false; extraConfig = '' AuthenticationMethods publickey PubkeyAuthentication yes ''; settings = { # # https://infosec.mozilla.org/guidelines/openssh # Macs = ["hmac-sha2-512-etm@openssh.com"]; Ciphers = ["chacha20-poly1305@openssh.com"]; # TODO Use 25519 instead of RSA key pairs #KexAlgorithms = ["curve25519-sha256@libssh.org"]; }; }; # TODO replace authorizedKeys in all .nix files with authorizedKeyFiles # SSH public key(s) allowed to connect via SSH. users.users."yoda".openssh.authorizedKeys.keys = [ (builtins.readFile ../assets/ssh/nitrokey.pub) ]; users.users."root".openssh.authorizedKeys.keys = [ (builtins.readFile ../assets/ssh/nitrokey.pub) ] ++ ( if (config.networking.hostName == "yodaNas") then [(builtins.readFile ../assets/ssh/hedgehog.pub)] else [] ); }