2019-08-11 19:53:02 +01:00
|
|
|
{ config, pkgs, lib, ... }:
|
|
|
|
|
|
|
|
|
|
{
|
2021-03-08 20:00:02 +00:00
|
|
|
# Make sure that the firewall is enabled, even if it's the default.
|
|
|
|
|
networking.firewall.enable = true;
|
2019-08-11 19:53:02 +01:00
|
|
|
|
2021-03-08 20:00:02 +00:00
|
|
|
# Allow password-less sudo for wheel users
|
|
|
|
|
security.sudo.enable = true;
|
|
|
|
|
security.sudo.wheelNeedsPassword = false;
|
|
|
|
|
|
2019-08-11 19:53:02 +01:00
|
|
|
# Dont let users create their own authorized keys files
|
|
|
|
|
services.openssh.authorizedKeysFiles = lib.mkForce [
|
|
|
|
|
"/etc/ssh/authorized_keys.d/%u"
|
|
|
|
|
];
|
|
|
|
|
|
2022-01-29 10:44:38 +01:00
|
|
|
services.openssh.kbdInteractiveAuthentication = false;
|
2019-08-11 19:53:02 +01:00
|
|
|
services.openssh.passwordAuthentication = false;
|
|
|
|
|
|
2022-01-29 10:46:10 +01:00
|
|
|
programs.ssh.knownHosts = {
|
|
|
|
|
github-rsa = {
|
|
|
|
|
extraHostNames = [ "github.com" ];
|
|
|
|
|
publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==";
|
|
|
|
|
};
|
|
|
|
|
github-ed25519 = {
|
|
|
|
|
extraHostNames = [ "github.com" ];
|
|
|
|
|
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2019-08-11 19:53:02 +01:00
|
|
|
# Ban brute force SSH
|
|
|
|
|
services.fail2ban.enable = true;
|
|
|
|
|
}
|
