-
Florian Sesser authoredliteralExample is deprecated and overused. See: https://whetstone.privatestorage.io/privatestorage/PrivateStorageio/-/merge_requests/201#note_16966
Florian Sesser authoredliteralExample is deprecated and overused. See: https://whetstone.privatestorage.io/privatestorage/PrivateStorageio/-/merge_requests/201#note_16966
ssh.nix 1.58 KiB
# A NixOS module which configures SSH access to a system.
{
lib,
config,
...
}: {
options = {
services.private-storage.sshUsers = lib.mkOption {
type = lib.types.attrsOf lib.types.str;
example = { root = "ssh-ed25519 AAA..."; };
description = ''
Users to configure on the issuer server and the storage servers and
the SSH public keys to use to authenticate them.
'';
};
};
config =
let
cfg = config.services."private-storage";
in {
# An attempt at a properly secure SSH configuration. This is informed by
# personal experience as well as various web resources:
#
# https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
services.openssh = {
enable = true;
# We don't use SFTP for anything. No reason to expose it.
allowSFTP = false;
# We only allow key-based authentication.
challengeResponseAuthentication = false;
passwordAuthentication = false;
extraConfig = ''
# Possibly this is superfluous considering we don't allow
# password-based authentication at all.
PermitEmptyPasswords no
# Agent forwarding is fraught. It can be used by an attacker to
# leverage one compromised system into more. Discourage its use.
AllowAgentForwarding no
'';
};
users.users =
let makeUserConfig = username: sshPublicKey: {
isNormalUser = username != "root";
openssh.authorizedKeys.keys = [ sshPublicKey ];
};
in builtins.mapAttrs makeUserConfig cfg.sshUsers;
};
}