diff --git a/src/ssh.nix b/src/ssh.nix index 8d5d5766ae3b30c4801b6ce200fa58c1460f6ca7..da4579b0334e867430191c6bebbc80f61f821ca6 100644 --- a/src/ssh.nix +++ b/src/ssh.nix @@ -1,27 +1,34 @@ # A NixOS module which configures SSH access to a system. +# Inspired from some previous commits from Jean-Paul in PrivateStorageio +# https://whetstone.private.storage/privatestorage/PrivateStorageio/-/commit/cb3c46694e693ca658920746418418efd208ca45 +# https://whetstone.private.storage/privatestorage/PrivateStorageio/-/commit/ba7502bb616095586a9b68dddbc3195346b22e42 +{ config, lib, ... }: { - lib, - config, - ... -}: { + # An attempt at a properly secure SSH configuration. This is informed by + # personal experience as well as various web resources: + # + # https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html + + # Declare our ssh options options = { - services.private-storage.sshUsers = lib.mkOption { + # To configure the users, starting with their public keys + ssh.users = lib.mkOption { type = lib.types.attrsOf (lib.types.listOf lib.types.str); - example = { root = "ssh-ed25519 AAA..."; }; - description = '' - Users to configure on the issuer server and the storage servers and + example = { root = [ "ssh-ed25519 AAA..." "ssh-ed25519 BBB..." ]; }; + description = lib.mdDoc '' + Users to configure on the servers and the SSH public keys to use to authenticate them. ''; }; }; + + # Define our ssh configuration config = let - cfg = config.services."private-storage"; + # Alias our options for convenience + cnf = config.ssh; in { - # An attempt at a properly secure SSH configuration. This is informed by - # personal experience as well as various web resources: - # - # https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html + # Configure the server services.openssh = { enable = true; @@ -33,21 +40,24 @@ passwordAuthentication = false; extraConfig = '' - # Possibly this is superfluous considering we don't allow - # password-based authentication at all. - PermitEmptyPasswords no - - # Agent forwarding is fraught. It can be used by an attacker to - # leverage one compromised system into more. Discourage its use. + # Agent forwarding is fraught. It can be used by an attacker to + # leverage one compromised system into more. Discourage its use. + # From man page: Note that disabling agent forwarding does NOT + # improve security unless users are also denied shell access, + # as they can always install their own forwarders. AllowAgentForwarding no ''; }; - users.users = - let makeUserConfig = username: sshPublicKeys: { + # Configure the users + # Iterate through the attribute set option, + # and authorized each user with its keys + users.users = builtins.mapAttrs ( + username: keys: { + openssh.authorizedKeys.keys = keys; + # This is required for regular users isNormalUser = username != "root"; - openssh.authorizedKeys.keys = sshPublicKeys; - }; - in builtins.mapAttrs makeUserConfig cfg.sshUsers; + } + ) cnf.users; }; }