dotfiles/nixos/server-security.nix
2024-08-24 22:17:00 +01:00

52 lines
1.4 KiB
Nix

{
config,
pkgs,
...
}: let
authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEo4R+6J3h6Ix3xWpOMdU7Es1/YxFchHw0c+kcCOJxFb cyryl@foureighty"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBDa2qAxpUEFeBYl2wlzDa/x37TAAy5pOBHv50OXUrV5 cyryl@thinky"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBKc/pKrkWLaq6IdfcFqBV3PnPwhTEUh2rOP5g6I5OBd cyryl@airy"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPbJNY48F1Vn11aDX5hJSj4oS2NIKEH2busqoyQTLIvk cyryl@bolty"
];
in {
imports = [./security.nix];
security.acme.defaults.email = "admin@cyplo.dev";
security.acme.acceptTerms = true;
services.fail2ban.enable = true;
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "prohibit-password";
PasswordAuthentication = false;
};
};
programs.ssh.extraConfig = ''
Host cupsnet.cyplo.dev
HostName cupsnet.cyplo.dev
Port 2222
Host cupsnet cupsnet.raptor-carp.ts.net
HostName cupsnet.raptor-carp.ts.net
Port 2222
StrictHostKeyChecking=accept-new
'';
users.extraUsers.root.openssh.authorizedKeys.keys = authorizedKeys;
users.users.nix-builder = {
isNormalUser = true;
openssh.authorizedKeys.keys = authorizedKeys;
};
users.users.cyryl = {
isNormalUser = true;
openssh.authorizedKeys.keys = authorizedKeys;
};
nix = {
settings.trusted-users = ["root" "nix-builder" "cyryl"];
sshServe.enable = true;
sshServe.keys = authorizedKeys;
};
}