79 lines
1.9 KiB
Nix
79 lines
1.9 KiB
Nix
{ config, format, lib, namespace, ... }:
|
|
let
|
|
inherit (lib)
|
|
types
|
|
mkDefault
|
|
mkIf
|
|
;
|
|
inherit (lib.${namespace}) mkOpt;
|
|
|
|
cfg = config.${namespace}.services.openssh;
|
|
|
|
authorizedKeys = [
|
|
# MBP-Personal NixOS
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIe1n9l9pVF5+kjWJCOt3AvBVf1HOSZkEDZxCWVPSIkr"
|
|
];
|
|
in
|
|
{
|
|
options.${namespace}.services.openssh = with types; {
|
|
enable = lib.mkEnableOption "OpenSSH support";
|
|
authorizedKeys = mkOpt (listOf str) authorizedKeys "The public keys to apply.";
|
|
extraConfig = mkOpt str "" "Extra configuration to apply.";
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
services.openssh = {
|
|
enable = true;
|
|
|
|
hostKeys = mkDefault [
|
|
{
|
|
bits = 4096;
|
|
path = "/etc/ssh/ssh_host_ed25519_key";
|
|
type = "ed25519";
|
|
}
|
|
];
|
|
|
|
openFirewall = true;
|
|
ports = [ 22 ];
|
|
|
|
settings = {
|
|
AuthenticationMethods = "publickey";
|
|
ChallengeResponseAuthentication = "no";
|
|
PasswordAuthentication = false;
|
|
PermitRootLogin = if format == "install-iso" then "yes" else "no";
|
|
PubkeyAuthentication = "yes";
|
|
StreamLocalBindUnlink = "yes";
|
|
UseDns = false;
|
|
UsePAM = true;
|
|
X11Forwarding = false;
|
|
|
|
KexAlgorithms = [
|
|
"curve25519-sha256"
|
|
"curve25519-sha256@libssh.org"
|
|
"diffie-hellman-group16-sha512"
|
|
"diffie-hellman-group18-sha512"
|
|
"diffie-hellman-group-exchange-sha256"
|
|
"sntrup761x25519-sha512@openssh.com"
|
|
];
|
|
|
|
Macs = [
|
|
"hmac-sha2-512-etm@openssh.com"
|
|
"hmac-sha2-256-etm@openssh.com"
|
|
"umac-128-etm@openssh.com"
|
|
];
|
|
};
|
|
|
|
startWhenNeeded = true;
|
|
};
|
|
|
|
programs.ssh = {
|
|
startAgent = lib.mkDefault true;
|
|
inherit (cfg) extraConfig;
|
|
};
|
|
|
|
reichard = {
|
|
user.extraOptions.openssh.authorizedKeys.keys = cfg.authorizedKeys;
|
|
};
|
|
};
|
|
}
|