grimm-nixos-laptop/hardening/ssh-as-sudo.nix

{ pkgs, lib, ... }:
{
  services.openssh = {
    enable = true;
    settings.PasswordAuthentication = false;
    # settings.UsePAM = false;
    openFirewall = lib.mkDefault false;
    allowSFTP = lib.mkDefault false;
    # startWhenNeeded = true;
  };

  users.users.root = {
    # isSystemUser = true;
    # isNormalUser = true;
    uid = 0;
    openssh.authorizedKeys.keyFiles = [ ../ssh/id_ed25519_sk.pub ];
    # home = "/root";
    hashedPassword = null;
    createHome = lib.mkForce true;
  };

  programs.ssh.startAgent = true;
  # security.sudo.enable = false;
  # services.yubikey-agent.enable = true;
}
hardening WIP 2025-01-03 15:57:36 +01:00			`{ pkgs, lib, ... }:`
			`{`
			`services.openssh = {`
			`enable = true;`
			`settings.PasswordAuthentication = false;`
			`# settings.UsePAM = false;`
			`openFirewall = lib.mkDefault false;`
			`allowSFTP = lib.mkDefault false;`
			`# startWhenNeeded = true;`
			`};`

			`users.users.root = {`
			`# isSystemUser = true;`
			`# isNormalUser = true;`
			`uid = 0;`
			`openssh.authorizedKeys.keyFiles = [ ../ssh/id_ed25519_sk.pub ];`
			`# home = "/root";`
			`hashedPassword = null;`
			`createHome = lib.mkForce true;`
			`};`

			`programs.ssh.startAgent = true;`
			`# security.sudo.enable = false;`
			`# services.yubikey-agent.enable = true;`
			`}`