cry/flake
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
flake/groups/server/default.nix

54 lines
1,011 B
Nix
Raw Blame History

{
lib,
sshPort ? 22,
...
}: {
networking = {
networkmanager.enable = true;
# Use CloudFlare's WARP+ 1.1.1.1 DNS service
nameservers = [
"1.1.1.1"
"1.0.0.1"
];
firewall = {
enable = lib.mkDefault true;
allowedTCPPorts = [
sshPort
];
};
};
security = {
# accept Lets Encrypt's security policy
acme = {
acceptTerms = true;
defaults.email = "them@dobutterfliescry.net";
};
sudo = {
enable = true;
wheelNeedsPassword = true;
};
# allow SSH keys for passwordless auth
pam = {
enableSSHAgentAuth = true;
services.sudo.sshAgentAuth = true; # pam_ssh_agent_auth module
};
};
services = {
openssh = {
enable = true;
ports = [sshPort];
settings = {
PasswordAuthentication = false;
PermitRootLogin = "no";
# AllowUsers = ["cry"]; # DO NOT ALLOW ALL
UseDns = true;
X11Forwarding = false;
};
};
};
}
Reference in a new issue View git blame Copy permalink