50 lines
1.6 KiB
Nix
50 lines
1.6 KiB
Nix
{ config, lib, sane-lib, ... }:
|
|
|
|
let
|
|
hostKeys = lib.mapAttrsToList
|
|
(hostName: hostCfg:
|
|
# generate `root@servo`, `colin@servo`, `root@servo-hn`, `colin@servo-hn`, ... as a single attrset:
|
|
lib.foldl' (acc: alias: acc // {
|
|
"root@${alias}" = hostCfg.ssh.host_pubkey;
|
|
"colin@${alias}" = lib.mkIf (hostCfg.ssh.user_pubkey != null && hostCfg.ssh.authorized) hostCfg.ssh.user_pubkey;
|
|
})
|
|
{}
|
|
hostCfg.names
|
|
)
|
|
config.sane.hosts.by-name;
|
|
in
|
|
{
|
|
sane.ssh.pubkeys = lib.mkMerge (hostKeys ++ [
|
|
{
|
|
"root@uninsane.org" = config.sane.hosts.by-name.servo.ssh.host_pubkey;
|
|
"root@git.uninsane.org" = config.sane.hosts.by-name.servo.ssh.host_pubkey;
|
|
|
|
# documented here: <https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints>
|
|
# Github actually uses multiple keys -- one per format
|
|
"root@github.com" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
|
|
}
|
|
]);
|
|
|
|
services.openssh = {
|
|
enable = true;
|
|
settings.PermitRootLogin = "no";
|
|
settings.PasswordAuthentication = false;
|
|
settings.UsePAM = lib.mkDefault false; #< notably, disables systemd session tracking; incidentally disables pam_mount, etc.
|
|
};
|
|
sane.ports.ports."22" = {
|
|
protocol = [ "tcp" ];
|
|
visibleTo.lan = true;
|
|
description = lib.mkDefault "colin-ssh";
|
|
};
|
|
|
|
# sane.services.dropbear = {
|
|
# enable = true;
|
|
# port = 1022;
|
|
# };
|
|
# sane.ports.ports."1022" = {
|
|
# protocol = [ "tcp" ];
|
|
# visibleTo.lan = true;
|
|
# description = lib.mkDefault "colin-dropbear-ssh";
|
|
# };
|
|
}
|