Skip to content
Snippets Groups Projects
Select Git revision
  • 08377895a815dd52ce1b5f20b37ff2515ea9f613
  • develop default protected
  • production protected
  • nixpkgs-upgrade-2025-06-16
  • nixpkgs-upgrade-2024-12-23
  • 190-our-regular-updates-fill-up-the-servers-boot-partitions
  • nixpkgs-upgrade-2024-10-14
  • hro-cloud protected
  • 162.flexible-grafana-module
  • nixpkgs-upgrade-2024-05-13
  • nixpkgs-upgrade-2024-04-22
  • nixpkgs-upgrade-2024-03-25
  • nixpkgs-upgrade-2024-03-18
  • nixpkgs-upgrade-2024-03-11
  • nixpkgs-upgrade-2024-03-04
  • 163.jp-to-ben-for-prod
  • nixpkgs-upgrade-2024-02-26
  • 164.grafana-alert-rules
  • 157.authorize-new-hro-key
  • nixpkgs-upgrade-2024-02-19
  • nixpkgs-upgrade-2024-02-12
21 results

README.rst

Blame
  • ssh.nix 1.58 KiB
    # A NixOS module which configures SSH access to a system.
    {
      lib,
      config,
      ...
    }: {
      options = {
        services.private-storage.sshUsers = lib.mkOption {
          type = lib.types.attrsOf lib.types.str;
          example = { root = "ssh-ed25519 AAA..."; };
          description = ''
            Users to configure on the issuer server and the storage servers and
            the SSH public keys to use to authenticate them.
          '';
        };
      };
      config =
      let
         cfg = config.services."private-storage";
      in {
        # An attempt at a properly secure SSH configuration.  This is informed by
        # personal experience as well as various web resources:
        #
        # https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
        services.openssh = {
          enable = true;
    
          # We don't use SFTP for anything.  No reason to expose it.
          allowSFTP = false;
    
          # We only allow key-based authentication.
          challengeResponseAuthentication = false;
          passwordAuthentication = false;
    
          extraConfig = ''
            # Possibly this is superfluous considering we don't allow
            # password-based authentication at all.
            PermitEmptyPasswords no
    
            # Agent forwarding is fraught.  It can be used by an attacker to
            # leverage one compromised system into more.  Discourage its use.
            AllowAgentForwarding no
          '';
        };
    
        users.users =
          let makeUserConfig = username: sshPublicKey: {
            isNormalUser = username != "root";
            openssh.authorizedKeys.keys = [ sshPublicKey ];
          };
          in builtins.mapAttrs makeUserConfig cfg.sshUsers;
      };
    }