37e48b712e
* keep ./services for instances ./profiles is for config-only modules ./services are like profiles, but configure a single instance of a service. Those are fronted by Nginx as the load-balancer and have a DNS entry as well. * ci: build build03 as well * move hydra to services * move matterbridge to services * move marvin-mk2 to services * build01: share the remainder profiles * build02: use the nix-community-cache * fixup kexec * rename profiles to roles * README: sync with reality
24 lines
638 B
Nix
24 lines
638 B
Nix
{ config, pkgs, lib, ... }:
|
|
|
|
{
|
|
|
|
# Allow sudo from SSH authenticated users
|
|
# This requires users in the wheel group to log in
|
|
# over ssh with an agent and enable forwarding
|
|
security.pam.services.sudo.sshAgentAuth = true;
|
|
security.pam.enableSSHAgentAuth = true;
|
|
|
|
# Dont let users create their own authorized keys files
|
|
services.openssh.authorizedKeysFiles = lib.mkForce [
|
|
"/etc/ssh/authorized_keys.d/%u"
|
|
];
|
|
|
|
networking.firewall.enable = true;
|
|
|
|
services.openssh.challengeResponseAuthentication = false;
|
|
services.openssh.passwordAuthentication = false;
|
|
|
|
# Ban brute force SSH
|
|
services.fail2ban.enable = true;
|
|
|
|
}
|