Compare commits

..

No commits in common. "0cf53a97cf67da1bcdba10119cd6999dff36f554" and "ec3d9e6049ee02c7957b0a8c0fe7fdd199a7821f" have entirely different histories.

2 changed files with 15 additions and 22 deletions

View File

@ -9,24 +9,19 @@ in
enable = mkEnableOption "ssh"; enable = mkEnableOption "ssh";
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
services.openssh = { services.openssh.enable = true;
enable = true; # TODO: Is this default configuration secure?
settings = {
PasswordAuthentication = false; services.openssh.hostKeys = mkIf (config.modules.impermanence.enable) [
KbdInteractiveAuthentication = false; {
PermitRootLogin = "no"; type = "ed25519";
}; path = "/persist/system/etc/ssh/ssh_host_ed25519_key";
hostKeys = mkIf (config.modules.impermanence.enable) [ }
{ {
type = "ed25519"; type = "rsa";
path = "/persist/system/etc/ssh/ssh_host_ed25519_key"; bits = 4096;
} path = "/persist/system/etc/ssh/ssh_host_rsa_key";
{ }
type = "rsa"; ];
bits = 4096;
path = "/persist/system/etc/ssh/ssh_host_rsa_key";
}
];
};
}; };
} }

View File

@ -33,8 +33,7 @@ in
}; };
# Local user # Local user
modules.secrets.secrets."ssh-keys/admin-pub" = { }; sops.secrets."ssh-keys/admin-pub" = { };
modules.secrets.secrets."passwords/local-hashed".neededForUsers = true;
services.getty.autologinUser = "local"; services.getty.autologinUser = "local";
security.sudo.extraRules = [ security.sudo.extraRules = [
{ {
@ -44,7 +43,6 @@ in
]; ];
users.mutableUsers = false; users.mutableUsers = false;
users.users.local = { users.users.local = {
hashedPasswordFile = config.sops.secrets."passwords/local-hashed".path;
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" ];
openssh.authorizedKeys.keyFiles = [ openssh.authorizedKeys.keyFiles = [
config.sops.secrets."ssh-keys/admin-pub".path config.sops.secrets."ssh-keys/admin-pub".path