49 lines
1.2 KiB
Nix
49 lines
1.2 KiB
Nix
{ pkgs, lib, ... }:
|
|
{
|
|
services.openssh = {
|
|
enable = true;
|
|
settings = {
|
|
PasswordAuthentication = false;
|
|
challengeResponseAuthentication = false;
|
|
# PermitRootLogin = "no";
|
|
KbdInteractiveAuthentication = false;
|
|
};
|
|
# settings.UsePAM = false;
|
|
openFirewall = lib.mkDefault false;
|
|
allowSFTP = lib.mkDefault false;
|
|
# startWhenNeeded = true;
|
|
extraConfig = ''
|
|
allowtcpforwarding no
|
|
X11Forwarding no
|
|
AllowAgentForwarding no
|
|
AllowStreamLocalForwarding no
|
|
AuthenticationMethods publickey
|
|
Protocol 2
|
|
MaxAuthTries 4
|
|
PermitEmptyPasswords no
|
|
PermitUserEnvironment no
|
|
MaxSessions 4
|
|
LoginGraceTime 60
|
|
ClientAliveCountMax 3
|
|
ClientAliveInterval 15
|
|
HostbasedAuthentication no
|
|
IgnoreRhosts yes
|
|
banner /etc/issue.net
|
|
maxstartups 10:30:60
|
|
'';
|
|
};
|
|
|
|
users.users.root = {
|
|
# isSystemUser = true;
|
|
# isNormalUser = true;
|
|
uid = 0;
|
|
openssh.authorizedKeys.keyFiles = [ ../ssh/id_ed25519_sk.pub ];
|
|
# home = "/root";
|
|
hashedPassword = null;
|
|
createHome = lib.mkForce true;
|
|
};
|
|
|
|
programs.ssh.startAgent = true;
|
|
# security.sudo.enable = false;
|
|
# services.yubikey-agent.enable = true;
|
|
}
|