Newer
Older
# A NixOS module which configures SSH access to a system.
{
lib,
config,
...
}: {
options = {
};
config =
let
cfg = config."private-storage".config;
in {
# An attempt at a properly secure SSH configuration. This is informed by
# personal experience as well as various web resources:
#
# https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
services.openssh = {
enable = true;
# We don't use SFTP for anything. No reason to expose it.
allowSFTP = false;
# We only allow key-based authentication.
challengeResponseAuthentication = false;
passwordAuthentication = false;
extraConfig = ''
# Possibly this is superfluous considering we don't allow
# password-based authentication at all.
PermitEmptyPasswords no
# Don't allow authentication as random system users.
AllowUsers root
'';
};
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4GenAY/YLGuf1WoMXyyVa3S9i4JLQ0AG+pt7nvcLlQ exarkun@baryon"
];
};
}