55 lines
1.1 KiB
Nix
55 lines
1.1 KiB
Nix
{lib, ...}: {
|
|
networking.firewall = {
|
|
allowedTCPPorts = [
|
|
22
|
|
];
|
|
};
|
|
|
|
security = {
|
|
# accept Lets Encrypt's security policy
|
|
acme = {
|
|
acceptTerms = true;
|
|
defaults.email = "them@dobutterfliescry.net";
|
|
};
|
|
|
|
sudo = {
|
|
enable = true;
|
|
wheelNeedsPassword = true;
|
|
};
|
|
# allow SSH keys for passwordless auth
|
|
pam = {
|
|
sshAgentAuth.enable = true;
|
|
services.sudo.sshAgentAuth = true; # pam_ssh_agent_auth module
|
|
};
|
|
};
|
|
|
|
services = {
|
|
openssh = {
|
|
enable = true;
|
|
ports = [22];
|
|
settings = {
|
|
PasswordAuthentication = false;
|
|
PermitRootLogin = "no";
|
|
AllowUsers = ["cry"]; # DO NOT ALLOW ALL
|
|
UseDns = true;
|
|
X11Forwarding = false;
|
|
};
|
|
};
|
|
};
|
|
|
|
users = {
|
|
users = {
|
|
# primary user
|
|
cry = {
|
|
isNormalUser = true;
|
|
home = "/home/cry";
|
|
extraGroups = ["wheel"];
|
|
openssh.authorizedKeys.keys = lib.mkOverride 900 [
|
|
(throw ''
|
|
Hosts in the `server` group must set `users.users.cry.openssh.authorizedKeys.keys = [ ... ]`.
|
|
'')
|
|
];
|
|
};
|
|
};
|
|
};
|
|
}
|