From c7c690d7b828be730edeed3f2f12912f268e80a1 Mon Sep 17 00:00:00 2001 From: truxnell <19149206+truxnell@users.noreply.github.com> Date: Sat, 23 Mar 2024 10:57:18 +1100 Subject: [PATCH] initial testing --- flake.nix | 4 ++- nixos/hosts/common/nixos/default.nix | 2 +- nixos/hosts/nixosvm/default.nix | 1 + nixos/modules/nixos/default.nix | 5 ++++ nixos/modules/nixos/system/defaut.nix | 5 ++++ nixos/modules/nixos/system/openssh.nix | 40 ++++++++++++++++++++++++++ 6 files changed, 55 insertions(+), 2 deletions(-) create mode 100644 nixos/modules/nixos/default.nix create mode 100644 nixos/modules/nixos/system/defaut.nix create mode 100644 nixos/modules/nixos/system/openssh.nix diff --git a/flake.nix b/flake.nix index 2697a9c..772e4bd 100644 --- a/flake.nix +++ b/flake.nix @@ -49,10 +49,12 @@ # Use nixpkgs-fmt for 'nix fmt' formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixpkgs-fmt); + nixosModules = import ./nixos/modules/nixos; + nixosConfigurations = let defaultModules = - # (builtins.attrValues nixosModules) ++ + (builtins.attrValues nixosModules) ++ [ sops-nix.nixosModules.sops ]; diff --git a/nixos/hosts/common/nixos/default.nix b/nixos/hosts/common/nixos/default.nix index 9ba22d3..9c91935 100644 --- a/nixos/hosts/common/nixos/default.nix +++ b/nixos/hosts/common/nixos/default.nix @@ -10,7 +10,7 @@ #inputs.sops-nix.nixosModules.sops ./locale.nix ./nix.nix - ./openssh.nix + # ./openssh.nix ./packages.nix ] ++ (builtins.attrValues { }); diff --git a/nixos/hosts/nixosvm/default.nix b/nixos/hosts/nixosvm/default.nix index 59781f4..6901270 100644 --- a/nixos/hosts/nixosvm/default.nix +++ b/nixos/hosts/nixosvm/default.nix @@ -29,6 +29,7 @@ networking.hostName = "nixosvm"; # Define your hostname. + modules.services.openssh = true; # Pick only one of the below networking options. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. diff --git a/nixos/modules/nixos/default.nix b/nixos/modules/nixos/default.nix new file mode 100644 index 0000000..2ad14a5 --- /dev/null +++ b/nixos/modules/nixos/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./system + ]; +} diff --git a/nixos/modules/nixos/system/defaut.nix b/nixos/modules/nixos/system/defaut.nix new file mode 100644 index 0000000..4619942 --- /dev/null +++ b/nixos/modules/nixos/system/defaut.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./openssh.nix + ]; +} diff --git a/nixos/modules/nixos/system/openssh.nix b/nixos/modules/nixos/system/openssh.nix new file mode 100644 index 0000000..0ded042 --- /dev/null +++ b/nixos/modules/nixos/system/openssh.nix @@ -0,0 +1,40 @@ +{ lib +, config +, ... +}: +let + cfg = config.modules.services.openssh; +in +{ + options.modules.services.openssh = { + enable = lib.mkEnableOption "openssh"; + }; + + config = lib.mkIf cfg.enable { + services.openssh = { + enable = true; + # TODO: Enable this when option becomes available + # Don't allow home-directory authorized_keys + # authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"]; + settings = { + # Harden + PasswordAuthentication = false; + PermitRootLogin = "no"; + # Automatically remove stale sockets + StreamLocalBindUnlink = "yes"; + # Allow forwarding ports to everywhere + GatewayPorts = "clientspecified"; + }; + }; + + # Passwordless sudo when SSH'ing with keys + security.pam.enableSSHAgentAuth = true; + # TODO: Enable this when option becomes available + # security.pam.sshAgentAuth = { + # enable = true; + # authorizedKeysFiles = [ + # "/etc/ssh/authorized_keys.d/%u" + # ]; + # }; + }; +}