tux/tawm
1
0
Fork 0
mirror of https://github.com/tuxdotrs/tawm.git synced 2025-07-05 20:56:33 +05:30
Code Issues Packages Projects Releases Wiki Activity

refactor: seperate module for openssh

Browse Source
This commit is contained in:
tux
2025-02-22 08:11:40 +05:30
parent 0cd6576cdf
commit f2fbb6c47d
10 changed files with 87 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
hosts/alpha/default.nix
View File

@ -13,6 +13,8 @@
../../modules/nixos/upstream-proxy.nix ../../modules/nixos/upstream-proxy.nix
]; ];
tux.services.openssh.enable = true;
sops.secrets = { sops.secrets = {
borg_encryption_key = { borg_encryption_key = {
sopsFile = ./secrets.yaml; sopsFile = ./secrets.yaml;

2
hosts/arcturus/default.nix
View File

@ -32,6 +32,8 @@
../../modules/nixos/containers/cs2.nix ../../modules/nixos/containers/cs2.nix
]; ];
tux.services.openssh.enable = true;
sops.secrets = { sops.secrets = {
borg_encryption_key = { borg_encryption_key = {
sopsFile = ./secrets.yaml; sopsFile = ./secrets.yaml;

2
hosts/canopus/default.nix
View File

@ -21,6 +21,8 @@
../../modules/nixos/steam.nix ../../modules/nixos/steam.nix
]; ];
tux.services.openssh.enable = true;
nixpkgs.config.cudaSupport = true; nixpkgs.config.cudaSupport = true;
sops.secrets = { sops.secrets = {

2
hosts/capella/default.nix
View File

@ -15,6 +15,8 @@
../../modules/nixos/containers/cs2.nix ../../modules/nixos/containers/cs2.nix
]; ];
tux.services.openssh.enable = true;
sops.secrets = { sops.secrets = {
"cs2_secrets/SRCDS_TOKEN" = { "cs2_secrets/SRCDS_TOKEN" = {
sopsFile = ./secrets.yaml; sopsFile = ./secrets.yaml;

24
hosts/common/default.nix
View File

@ -3,21 +3,17 @@
username, username,
outputs, outputs,
config, config,
lib,
inputs, inputs,
email, email,
... ...
}: let }: {
# Sops needs acess to the keys before the persist dirs are even mounted; so
# just persisting the keys won't work, we must point at /persist
hasOptinPersistence = config.environment.persistence."/persist".enable;
in {
imports = [ imports = [
inputs.impermanence.nixosModules.impermanence inputs.impermanence.nixosModules.impermanence
inputs.home-manager.nixosModules.home-manager inputs.home-manager.nixosModules.home-manager
../../modules/nixos/fail2ban.nix ../../modules/nixos/fail2ban.nix
../../modules/nixos/sops.nix ../../modules/nixos/sops.nix
../../modules/nixos/networking/ssh.nix
]; ];
sops.secrets.tux-password = { sops.secrets.tux-password = {
@ -98,22 +94,6 @@ in {
}; };
}; };
services = {
openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
};
hostKeys = [
{
path = "${lib.optionalString hasOptinPersistence "/persist"}/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
};
users = { users = {
mutableUsers = false; mutableUsers = false;
defaultUserShell = pkgs.zsh; defaultUserShell = pkgs.zsh;

2
hosts/homelab/default.nix
View File

@ -19,6 +19,8 @@
../../modules/nixos/cyber-tux.nix ../../modules/nixos/cyber-tux.nix
]; ];
tux.services.openssh.enable = true;
sops.secrets = { sops.secrets = {
discord_token = { discord_token = {
sopsFile = ./secrets.yaml; sopsFile = ./secrets.yaml;

2
hosts/sirius/default.nix
View File

@ -12,6 +12,8 @@
../../modules/nixos/virtualisation/docker.nix ../../modules/nixos/virtualisation/docker.nix
]; ];
tux.services.openssh.enable = true;
boot.binfmt.emulatedSystems = ["aarch64-linux"]; boot.binfmt.emulatedSystems = ["aarch64-linux"];
nixpkgs = { nixpkgs = {

2
hosts/vega/default.nix
View File

@ -10,6 +10,8 @@
../../modules/nixos/adguard.nix ../../modules/nixos/adguard.nix
]; ];
tux.services.openssh.enable = true;
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [
"usbhid" "usbhid"
"usb_storage" "usb_storage"

2
hosts/vps/default.nix
View File

@ -14,6 +14,8 @@
../common ../common
]; ];
tux.services.openssh.enable = true;
nixpkgs = { nixpkgs = {
hostPlatform = "x86_64-linux"; hostPlatform = "x86_64-linux";
}; };

69
modules/nixos/networking/ssh.nix Normal file
View File

@ -0,0 +1,69 @@
{
config,
lib,
...
}:
with lib; let
cfg = config.tux.services.openssh;
# Sops needs acess to the keys before the persist dirs are even mounted; so
# just persisting the keys won't work, we must point at /persist
hasOptinPersistence = config.environment.persistence."/persist".enable;
in {
options.tux.services.openssh = {
enable = mkEnableOption "Enable OpenSSH server";
ports = mkOption {
type = types.listOf types.port;
default = [22];
description = ''
Specifies on which ports the SSH daemon listens.
'';
};
};
config = mkIf cfg.enable {
services.openssh = {
enable = true;
startWhenNeeded = true;
allowSFTP = true;
ports = cfg.ports;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
AuthenticationMethods = "publickey";
PubkeyAuthentication = "yes";
ChallengeResponseAuthentication = "no";
UsePAM = false;
UseDns = false;
X11Forwarding = false;
KexAlgorithms = [
"curve25519-sha256"
"curve25519-sha256@libssh.org"
"diffie-hellman-group16-sha512"
"diffie-hellman-group18-sha512"
"sntrup761x25519-sha512@openssh.com"
"diffie-hellman-group-exchange-sha256"
"mlkem768x25519-sha256"
"sntrup761x25519-sha512"
];
Macs = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
];
ClientAliveCountMax = 5;
ClientAliveInterval = 60;
};
hostKeys = [
{
path = "${lib.optionalString hasOptinPersistence "/persist"}/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
};
}