From e03c72552e33e83c5f271f4889a27da935ff2a68 Mon Sep 17 00:00:00 2001 From: tux Date: Wed, 6 May 2026 21:22:24 +0530 Subject: [PATCH] refactor: ssh config --- modules/hosts/sirius/config.nix | 42 +++------------------ modules/nixos/networking/ssh.nix | 65 ++++++++++++++++++++++++++++++++ 2 files changed, 71 insertions(+), 36 deletions(-) create mode 100644 modules/nixos/networking/ssh.nix diff --git a/modules/hosts/sirius/config.nix b/modules/hosts/sirius/config.nix index 728d9d1..bf0322e 100644 --- a/modules/hosts/sirius/config.nix +++ b/modules/hosts/sirius/config.nix @@ -11,7 +11,12 @@ }: { - imports = with config.flake.modules.nixos; [ desktop ]; + imports = with config.flake.modules.nixos; [ + networking + desktop + ]; + + tnix.services.openssh.enable = true; # --- Boot --- boot = { @@ -62,41 +67,6 @@ services.xserver.videoDrivers = [ "nvidia" ]; - # --- SSH --- - services.openssh = { - enable = true; - startWhenNeeded = true; - allowSFTP = true; - settings = { - PermitRootLogin = "no"; - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; - AuthenticationMethods = "publickey"; - PubkeyAuthentication = "yes"; - UsePAM = false; - UseDns = false; - X11Forwarding = false; - ClientAliveCountMax = 5; - ClientAliveInterval = 60; - - KexAlgorithms = [ - "curve25519-sha256" - "curve25519-sha256@libssh.org" - "diffie-hellman-group16-sha512" - "diffie-hellman-group18-sha512" - "sntrup761x25519-sha512@openssh.com" - "diffie-hellman-group-exchange-sha256" - "mlkem768x25519-sha256" - "sntrup761x25519-sha512" - ]; - Macs = [ - "hmac-sha2-512-etm@openssh.com" - "hmac-sha2-256-etm@openssh.com" - "umac-128-etm@openssh.com" - ]; - }; - }; - # --- Programs --- programs.firefox.enable = true; diff --git a/modules/nixos/networking/ssh.nix b/modules/nixos/networking/ssh.nix new file mode 100644 index 0000000..15331f5 --- /dev/null +++ b/modules/nixos/networking/ssh.nix @@ -0,0 +1,65 @@ +{ + flake.modules.nixos.networking = + { + config, + lib, + ... + }: + with lib; + let + cfg = config.tnix.services.openssh; + in + { + options.tnix.services.openssh = { + enable = mkEnableOption "Enable OpenSSH server"; + + ports = mkOption { + type = types.listOf types.port; + default = [ 22 ]; + description = '' + Specifies on which ports the SSH daemon listens. + ''; + }; + }; + + config = mkIf cfg.enable { + programs.ssh.startAgent = true; + + services.openssh = { + enable = true; + startWhenNeeded = true; + allowSFTP = true; + ports = cfg.ports; + + settings = { + PermitRootLogin = "no"; + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + AuthenticationMethods = "publickey"; + PubkeyAuthentication = "yes"; + ChallengeResponseAuthentication = "no"; + UsePAM = false; + UseDns = false; + X11Forwarding = false; + KexAlgorithms = [ + "curve25519-sha256" + "curve25519-sha256@libssh.org" + "diffie-hellman-group16-sha512" + "diffie-hellman-group18-sha512" + "sntrup761x25519-sha512@openssh.com" + "diffie-hellman-group-exchange-sha256" + "mlkem768x25519-sha256" + "sntrup761x25519-sha512" + ]; + Macs = [ + "hmac-sha2-512-etm@openssh.com" + "hmac-sha2-256-etm@openssh.com" + "umac-128-etm@openssh.com" + ]; + ClientAliveCountMax = 5; + ClientAliveInterval = 60; + }; + }; + }; + }; +}