From f99fb01f03fcf64f42fed654c11cf3df8ada9175 Mon Sep 17 00:00:00 2001 From: Richie Cahill Date: Mon, 15 Apr 2024 00:36:26 -0400 Subject: [PATCH] create openssh module --- modules/openssh.nix | 63 +++++++++++++++++++ systems/configuration.nix | 61 ------------------ users/alice/systems/non-server.nix | 1 + .../rhapsody-in-green/configuration.nix | 2 - 4 files changed, 64 insertions(+), 63 deletions(-) create mode 100644 modules/openssh.nix diff --git a/modules/openssh.nix b/modules/openssh.nix new file mode 100644 index 0000000..ed9ac3e --- /dev/null +++ b/modules/openssh.nix @@ -0,0 +1,63 @@ +{ lib, ... }: +{ + services.openssh = { + enable = lib.mkDefault true; + fixPermissions = true; + extraConfig = "StreamLocalBindUnlink yes"; + + hostKeys = [ + { + bits = 4096; + path = "/etc/ssh/ssh_host_rsa_key"; + type = "rsa"; + } + { + path = "/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + { + path = "/etc/ssh/ssh_host_ecdsa_key"; + type = "ecdsa"; + } + ]; + + settings = { + AllowAgentForwarding = "no"; + AllowTcpForwarding = "no"; + ChallengeResponseAuthentication = "no"; + ClientAliveCountMax = lib.mkDefault 2; + Compression = "NO"; + IgnoreRhosts = "yes"; + LogLevel = lib.mkDefault "VERBOSE"; + MaxAuthTries = 3; + MaxSessions = lib.mkDefault 2; + PasswordAuthentication = false; + PermitEmptyPasswords = "no"; + PermitRootLogin = "no"; + TcpKeepAlive = "no"; + X11Forwarding = lib.mkDefault false; + KexAlgorithms = [ + "curve25519-sha256@libssh.org" + "diffie-hellman-group-exchange-sha256" + ]; + + Ciphers = [ + "chacha20-poly1305@openssh.com" + "aes256-gcm@openssh.com" + "aes128-gcm@openssh.com" + "aes256-ctr" + "aes192-ctr" + "aes128-ctr" + ]; + + Macs = [ + "hmac-sha2-512-etm@openssh.com" + "hmac-sha2-256-etm@openssh.com" + "umac-128-etm@openssh.com" + "hmac-sha2-512" + "hmac-sha2-256" + "umac-128@openssh.com" + ]; + }; + }; +} diff --git a/systems/configuration.nix b/systems/configuration.nix index e5923c9..90807e3 100644 --- a/systems/configuration.nix +++ b/systems/configuration.nix @@ -27,67 +27,6 @@ recommendedDefaults = true; }; - openssh = { - enable = true; - fixPermissions = true; - extraConfig = "StreamLocalBindUnlink yes"; - - hostKeys = [ - { - bits = 4096; - path = "/etc/ssh/ssh_host_rsa_key"; - type = "rsa"; - } - { - path = "/etc/ssh/ssh_host_ed25519_key"; - type = "ed25519"; - } - { - path = "/etc/ssh/ssh_host_ecdsa_key"; - type = "ecdsa"; - } - ]; - - settings = { - AllowAgentForwarding = "no"; - AllowTcpForwarding = "no"; - ChallengeResponseAuthentication = "no"; - ClientAliveCountMax = lib.mkDefault 2; - Compression = "NO"; - IgnoreRhosts = "yes"; - LogLevel = lib.mkDefault "VERBOSE"; - MaxAuthTries = 3; - MaxSessions = lib.mkDefault 2; - PasswordAuthentication = false; - PermitEmptyPasswords = "no"; - PermitRootLogin = "no"; - TcpKeepAlive = "no"; - X11Forwarding = lib.mkDefault false; - KexAlgorithms = [ - "curve25519-sha256@libssh.org" - "diffie-hellman-group-exchange-sha256" - ]; - - Ciphers = [ - "chacha20-poly1305@openssh.com" - "aes256-gcm@openssh.com" - "aes128-gcm@openssh.com" - "aes256-ctr" - "aes192-ctr" - "aes128-ctr" - ]; - - Macs = [ - "hmac-sha2-512-etm@openssh.com" - "hmac-sha2-256-etm@openssh.com" - "umac-128-etm@openssh.com" - "hmac-sha2-512" - "hmac-sha2-256" - "umac-128@openssh.com" - ]; - }; - }; - autopull = { enable = true; ssh-key = "/root/.ssh/id_ed25519_ghdeploy"; diff --git a/users/alice/systems/non-server.nix b/users/alice/systems/non-server.nix index 80a5574..1f51183 100644 --- a/users/alice/systems/non-server.nix +++ b/users/alice/systems/non-server.nix @@ -29,6 +29,7 @@ }; }; + services.openssh.enable = false; services.autopull = { enable = false; ssh-key = "/root/.ssh/id_ed25519_ghdeploy"; diff --git a/users/richie/systems/rhapsody-in-green/configuration.nix b/users/richie/systems/rhapsody-in-green/configuration.nix index 9e4d97f..51d3f3d 100644 --- a/users/richie/systems/rhapsody-in-green/configuration.nix +++ b/users/richie/systems/rhapsody-in-green/configuration.nix @@ -32,8 +32,6 @@ }; }; - openssh.enable = true; - printing.enable = true; pipewire = {