2023-11-23 03:56:00 +00:00
|
|
|
{ config, lib, sane-lib, ... }:
|
2023-01-08 03:22:05 +00:00
|
|
|
|
2023-01-19 23:23:41 +00:00
|
|
|
let
|
2023-11-23 03:56:00 +00:00
|
|
|
keysForHost = hostName: let
|
|
|
|
hostCfg = config.sane.hosts.by-name."${hostName}";
|
|
|
|
in {
|
|
|
|
"root@${hostName}" = hostCfg.ssh.host_pubkey;
|
2023-11-24 07:35:58 +00:00
|
|
|
"colin@${hostName}" = lib.mkIf (hostCfg.ssh.user_pubkey != null && hostCfg.ssh.authorized) hostCfg.ssh.user_pubkey;
|
2023-11-23 03:56:00 +00:00
|
|
|
};
|
|
|
|
hostKeys = builtins.map keysForHost (builtins.attrNames config.sane.hosts.by-name);
|
2023-01-19 23:23:41 +00:00
|
|
|
in
|
2023-01-09 02:40:25 +00:00
|
|
|
{
|
2023-11-23 03:56:00 +00:00
|
|
|
sane.ssh.pubkeys = lib.mkMerge (hostKeys ++ [
|
|
|
|
{
|
|
|
|
"root@uninsane.org" = config.sane.hosts.by-name.servo.ssh.host_pubkey;
|
|
|
|
"root@git.uninsane.org" = config.sane.hosts.by-name.servo.ssh.host_pubkey;
|
2023-06-15 07:54:31 +00:00
|
|
|
|
2023-11-23 03:56:00 +00:00
|
|
|
# documented here: <https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints>
|
|
|
|
# Github actually uses multiple keys -- one per format
|
|
|
|
"root@github.com" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
|
|
|
|
}
|
|
|
|
]);
|
2023-05-28 20:39:18 +00:00
|
|
|
|
|
|
|
services.openssh = {
|
|
|
|
enable = true;
|
|
|
|
settings.PermitRootLogin = "no";
|
|
|
|
settings.PasswordAuthentication = false;
|
2024-05-30 12:12:06 +00:00
|
|
|
settings.UsePAM = lib.mkDefault false; #< notably, disables systemd session tracking; incidentally disables pam_mount, etc.
|
2023-05-28 20:39:18 +00:00
|
|
|
};
|
2023-05-31 04:25:39 +00:00
|
|
|
sane.ports.ports."22" = {
|
|
|
|
protocol = [ "tcp" ];
|
|
|
|
visibleTo.lan = true;
|
|
|
|
description = lib.mkDefault "colin-ssh";
|
|
|
|
};
|
2024-05-30 19:24:40 +00:00
|
|
|
|
|
|
|
# sane.services.dropbear = {
|
|
|
|
# enable = true;
|
|
|
|
# port = 1022;
|
|
|
|
# };
|
|
|
|
# sane.ports.ports."1022" = {
|
|
|
|
# protocol = [ "tcp" ];
|
|
|
|
# visibleTo.lan = true;
|
|
|
|
# description = lib.mkDefault "colin-dropbear-ssh";
|
|
|
|
# };
|
2022-10-25 09:09:27 +00:00
|
|
|
}
|