46 lines
1.5 KiB
Nix
46 lines
1.5 KiB
Nix
{ config, lib, sane-lib, ... }:
|
|
|
|
let
|
|
keysForHost = hostName: let
|
|
hostCfg = config.sane.hosts.by-name."${hostName}";
|
|
in {
|
|
"root@${hostName}" = hostCfg.ssh.host_pubkey;
|
|
"colin@${hostName}" = lib.mkIf (hostCfg.ssh.user_pubkey != null && hostCfg.ssh.authorized) hostCfg.ssh.user_pubkey;
|
|
};
|
|
hostKeys = builtins.map keysForHost (builtins.attrNames config.sane.hosts.by-name);
|
|
in
|
|
{
|
|
sane.ssh.pubkeys = lib.mkMerge (hostKeys ++ [
|
|
{
|
|
"root@uninsane.org" = config.sane.hosts.by-name.servo.ssh.host_pubkey;
|
|
"root@git.uninsane.org" = config.sane.hosts.by-name.servo.ssh.host_pubkey;
|
|
|
|
# documented here: <https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints>
|
|
# Github actually uses multiple keys -- one per format
|
|
"root@github.com" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
|
|
}
|
|
]);
|
|
|
|
services.openssh = {
|
|
enable = true;
|
|
settings.PermitRootLogin = "no";
|
|
settings.PasswordAuthentication = false;
|
|
settings.UsePAM = lib.mkDefault false; #< notably, disables systemd session tracking; incidentally disables pam_mount, etc.
|
|
};
|
|
sane.ports.ports."22" = {
|
|
protocol = [ "tcp" ];
|
|
visibleTo.lan = true;
|
|
description = lib.mkDefault "colin-ssh";
|
|
};
|
|
|
|
# sane.services.dropbear = {
|
|
# enable = true;
|
|
# port = 1022;
|
|
# };
|
|
# sane.ports.ports."1022" = {
|
|
# protocol = [ "tcp" ];
|
|
# visibleTo.lan = true;
|
|
# description = lib.mkDefault "colin-dropbear-ssh";
|
|
# };
|
|
}
|