Skip to content
Snippets Groups Projects
Select Git revision
  • fb84850421be864acb028cd3b3de3f10d85e78d6
  • develop default protected
  • production protected
  • nixpkgs-upgrade-2025-06-16
  • nixpkgs-upgrade-2024-12-23
  • 190-our-regular-updates-fill-up-the-servers-boot-partitions
  • nixpkgs-upgrade-2024-10-14
  • hro-cloud protected
  • 162.flexible-grafana-module
  • nixpkgs-upgrade-2024-05-13
  • nixpkgs-upgrade-2024-04-22
  • nixpkgs-upgrade-2024-03-25
  • nixpkgs-upgrade-2024-03-18
  • nixpkgs-upgrade-2024-03-11
  • nixpkgs-upgrade-2024-03-04
  • 163.jp-to-ben-for-prod
  • nixpkgs-upgrade-2024-02-26
  • 164.grafana-alert-rules
  • 157.authorize-new-hro-key
  • nixpkgs-upgrade-2024-02-19
  • nixpkgs-upgrade-2024-02-12
21 results

monitoring-architecture.drawio

Blame
  • ssh.nix 1.50 KiB
    # A NixOS module which configures SSH access to a system.
    {
      lib,
      config,
      ...
    }: {
      options = {
        services.private-storage.sshUsers = lib.mkOption {
          type = lib.types.attrsOf (lib.types.listOf lib.types.str);
          example = { root = "ssh-ed25519 AAA..."; };
          description = ''
            Users to configure on the issuer server and the storage servers and
            the SSH public keys to use to authenticate them.
          '';
        };
      };
      config =
      let
         cfg = config.services."private-storage";
      in {
        # An attempt at a properly secure SSH configuration.  This is informed by
        # personal experience as well as various web resources:
        #
        # https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
        services.openssh = {
          enable = true;
    
          # We only allow key-based authentication.
          kbdInteractiveAuthentication = false;
          passwordAuthentication = false;
    
          extraConfig = ''
            # Possibly this is superfluous considering we don't allow
            # password-based authentication at all.
            PermitEmptyPasswords no
    
            # Agent forwarding is fraught.  It can be used by an attacker to
            # leverage one compromised system into more.  Discourage its use.
            AllowAgentForwarding no
          '';
        };
    
        users.users =
          let makeUserConfig = username: sshPublicKeys: {
            isNormalUser = username != "root";
            openssh.authorizedKeys.keys = sshPublicKeys;
          };
          in builtins.mapAttrs makeUserConfig cfg.sshUsers;
      };
    }