mirror of
https://codeberg.org/privacy1st/nix-git
synced 2024-11-24 22:29:33 +01:00
49 lines
1.5 KiB
Nix
49 lines
1.5 KiB
Nix
{ config, pkgs, ... }:
|
|
{
|
|
# Enable SSH server.
|
|
services.openssh = {
|
|
enable = true;
|
|
ports = (
|
|
if (config.networking.hostName == "yodaTux") || (config.networking.hostName == "yodaTab") || (config.networking.hostName == "yodaGaming")
|
|
then [22]
|
|
else if (config.networking.hostName == "yodaYoga")
|
|
then [2224]
|
|
else if (config.networking.hostName == "yodaNas")
|
|
then [2222]
|
|
else if (config.networking.hostName == "yodaHedgehog")
|
|
then [2226]
|
|
else throw "Please add ssh port here"
|
|
);
|
|
|
|
# Enabling this is required for commands such as sftp and sshfs.
|
|
allowSFTP = false;
|
|
|
|
settings = {
|
|
# Use authorized keys only.
|
|
PasswordAuthentication = false;
|
|
|
|
#
|
|
# https://infosec.mozilla.org/guidelines/openssh
|
|
#
|
|
Macs = ["hmac-sha2-512-etm@openssh.com"];
|
|
Ciphers = ["chacha20-poly1305@openssh.com"];
|
|
# TODO Use 25519 instead of RSA key pairs
|
|
#KexAlgorithms = ["curve25519-sha256@libssh.org"];
|
|
};
|
|
|
|
};
|
|
|
|
# TODO replace authorizedKeys in all .nix files with authorizedKeyFiles
|
|
# SSH public key(s) allowed to connect via SSH.
|
|
users.users."yoda".openssh.authorizedKeys.keys = [
|
|
(builtins.readFile ../assets/ssh/nitrokey.pub)
|
|
];
|
|
users.users."root".openssh.authorizedKeys.keys = [
|
|
(builtins.readFile ../assets/ssh/nitrokey.pub)
|
|
] ++ (
|
|
if (config.networking.hostName == "yodaNas")
|
|
then [(builtins.readFile ../assets/ssh/hedgehog.pub)]
|
|
else []
|
|
);
|
|
}
|