dotfiles/nixos/server-security.nix

53 lines
1.4 KiB
Nix
Raw Normal View History

2023-08-13 17:00:41 +01:00
{
config,
pkgs,
...
}: let
2021-06-27 08:38:54 +01:00
authorizedKeys = [
2022-07-07 19:43:00 +01:00
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEo4R+6J3h6Ix3xWpOMdU7Es1/YxFchHw0c+kcCOJxFb cyryl@foureighty"
2022-09-26 10:51:40 +01:00
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBDa2qAxpUEFeBYl2wlzDa/x37TAAy5pOBHv50OXUrV5 cyryl@thinky"
2024-06-28 21:00:57 +01:00
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBKc/pKrkWLaq6IdfcFqBV3PnPwhTEUh2rOP5g6I5OBd cyryl@airy"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPbJNY48F1Vn11aDX5hJSj4oS2NIKEH2busqoyQTLIvk cyryl@bolty"
2021-05-31 09:15:44 +01:00
];
2022-03-10 12:25:23 +00:00
in {
2023-08-13 17:00:41 +01:00
imports = [./security.nix];
2022-06-03 21:45:58 +01:00
security.acme.defaults.email = "admin@cyplo.dev";
2021-11-22 19:32:26 +00:00
security.acme.acceptTerms = true;
2021-06-27 08:38:54 +01:00
2021-11-22 19:32:26 +00:00
services.fail2ban.enable = true;
2021-06-27 08:38:54 +01:00
2021-11-22 19:32:26 +00:00
services.openssh = {
enable = true;
2023-06-01 19:03:20 +01:00
settings = {
PermitRootLogin = "prohibit-password";
PasswordAuthentication = false;
};
2021-11-22 19:32:26 +00:00
};
2021-06-27 08:38:54 +01:00
programs.ssh.extraConfig = ''
Host cupsnet.cyplo.dev
HostName cupsnet.cyplo.dev
Port 2222
Host cupsnet cupsnet.raptor-carp.ts.net
HostName cupsnet.raptor-carp.ts.net
Port 2222
StrictHostKeyChecking=accept-new
'';
2021-11-22 19:32:26 +00:00
users.extraUsers.root.openssh.authorizedKeys.keys = authorizedKeys;
users.users.nix-builder = {
isNormalUser = true;
openssh.authorizedKeys.keys = authorizedKeys;
};
2021-05-31 09:15:44 +01:00
users.users.cyryl = {
isNormalUser = true;
openssh.authorizedKeys.keys = authorizedKeys;
};
2024-04-27 11:33:38 +01:00
nix = {
settings.trusted-users = ["root" "nix-builder" "cyryl"];
2024-04-27 11:33:38 +01:00
sshServe.enable = true;
sshServe.keys = authorizedKeys;
};
2021-11-22 19:32:26 +00:00
}