summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--hosts/eostre/default.nix11
-rw-r--r--hosts/sif/default.nix8
-rw-r--r--hosts/surtr/default.nix2
-rw-r--r--hosts/vidhar/default.nix4
-rw-r--r--system-profiles/initrd-ssh/module.nix2
-rw-r--r--system-profiles/openssh/default.nix44
6 files changed, 56 insertions, 15 deletions
diff --git a/hosts/eostre/default.nix b/hosts/eostre/default.nix
index 01dee9ae..2752d136 100644
--- a/hosts/eostre/default.nix
+++ b/hosts/eostre/default.nix
@@ -4,7 +4,7 @@ with lib;
4 4
5{ 5{
6 imports = with flake.nixosModules.systemProfiles; [ 6 imports = with flake.nixosModules.systemProfiles; [
7 default-locale nfsroot 7 default-locale nfsroot openssh
8 ]; 8 ];
9 9
10 config = { 10 config = {
@@ -96,5 +96,14 @@ with lib;
96 96
97 videoDrivers = [ "nvidia" ]; 97 videoDrivers = [ "nvidia" ];
98 }; 98 };
99
100
101 services.openssh = {
102 enable = true;
103 settings = {
104 PasswordAuthentication = true;
105 KbdInteractiveAuthentication = true;
106 };
107 };
99 }; 108 };
100} 109}
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index 4c405436..ca2f183b 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -298,7 +298,13 @@ in {
298 after = ["dnsmasq.service" "sys-subsystem-net-devices-virbr0.device"]; 298 after = ["dnsmasq.service" "sys-subsystem-net-devices-virbr0.device"];
299 }; 299 };
300 300
301 services.openssh.enable = true; 301 services.openssh = {
302 enable = true;
303 settings = {
304 PasswordAuthentication = true;
305 KbdInteractiveAuthentication = true;
306 };
307 };
302 308
303 powerManagement = { 309 powerManagement = {
304 enable = true; 310 enable = true;
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix
index 75dd9847..6925445b 100644
--- a/hosts/surtr/default.nix
+++ b/hosts/surtr/default.nix
@@ -135,8 +135,6 @@ with lib;
135 135
136 services.openssh = { 136 services.openssh = {
137 enable = true; 137 enable = true;
138 passwordAuthentication = false;
139 kbdInteractiveAuthentication = false;
140 extraConfig = '' 138 extraConfig = ''
141 AllowGroups ssh 139 AllowGroups ssh
142 ''; 140 '';
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index d064e3da..b0277c14 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -82,10 +82,6 @@ with lib;
82 82
83 services.openssh = { 83 services.openssh = {
84 enable = true; 84 enable = true;
85 settings = {
86 PasswordAuthentication = false;
87 KbdInteractiveAuthentication = false;
88 };
89 extraConfig = '' 85 extraConfig = ''
90 AllowGroups ssh 86 AllowGroups ssh
91 ''; 87 '';
diff --git a/system-profiles/initrd-ssh/module.nix b/system-profiles/initrd-ssh/module.nix
index 18a50cbf..2e75a8c4 100644
--- a/system-profiles/initrd-ssh/module.nix
+++ b/system-profiles/initrd-ssh/module.nix
@@ -116,7 +116,7 @@ in
116 Port ${toString cfg.port} 116 Port ${toString cfg.port}
117 117
118 PasswordAuthentication no 118 PasswordAuthentication no
119 ChallengeResponseAuthentication no 119 KbdInteractiveAuthentication no
120 120
121 ${flip concatMapStrings cfg.hostKeys (path: '' 121 ${flip concatMapStrings cfg.hostKeys (path: ''
122 HostKey ${initrdKeyPath path} 122 HostKey ${initrdKeyPath path}
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix
index cc4ecdf0..8f0bd11b 100644
--- a/system-profiles/openssh/default.nix
+++ b/system-profiles/openssh/default.nix
@@ -8,7 +8,7 @@ in {
8 options = { 8 options = {
9 services.openssh.staticHostKeys = mkOption { 9 services.openssh.staticHostKeys = mkOption {
10 type = types.bool; 10 type = types.bool;
11 default = true; 11 default = pathExists (./host-keys + "/${hostName}.yaml");
12 }; 12 };
13 }; 13 };
14 14
@@ -18,13 +18,45 @@ in {
18 services.openssh = mkIf cfg.enable { 18 services.openssh = mkIf cfg.enable {
19 hostKeys = mkIf cfg.staticHostKeys (mkForce []); # done manually 19 hostKeys = mkIf cfg.staticHostKeys (mkForce []); # done manually
20 settings = { 20 settings = {
21 Ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ]; 21 Ciphers = [
22 Macs = [ "hmac-sha2-256-etm@openssh.com" "hmac-sha2-256" "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512" ]; 22 "chacha20-poly1305@openssh.com"
23 KexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ]; 23 "aes256-gcm@openssh.com"
24 "aes256-ctr"
25 ];
26 Macs = [
27 "hmac-sha2-256-etm@openssh.com"
28 "hmac-sha2-256"
29 "hmac-sha2-512-etm@openssh.com"
30 "hmac-sha2-512"
31 ];
32 KexAlgorithms = [
33 "sntrup761x25519-sha512@openssh.com"
34 "curve25519-sha256"
35 "curve25519-sha256@libssh.org"
36 "diffie-hellman-group-exchange-sha256"
37 ];
38 HostKeyAlgorithms = concatStringsSep "," [
39 "sk-ssh-ed25519-cert-v01@openssh.com"
40 "ssh-ed25519-cert-v01@openssh.com"
41 "rsa-sha2-256-cert-v01@openssh.com"
42 "rsa-sha2-512-cert-v01@openssh.com"
43 "sk-ssh-ed25519@openssh.com"
44 "ssh-ed25519"
45 "rsa-sha2-256"
46 "rsa-sha2-512"
47 ];
48 CASignatureAlgorithms = concatStringsSep "," [
49 "sk-ssh-ed25519@openssh.com"
50 "ssh-ed25519"
51 "rsa-sha2-256"
52 "rsa-sha2-512"
53 ];
54
24 LogLevel = "VERBOSE"; 55 LogLevel = "VERBOSE";
25 HostKeyAlgorithms = "sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512";
26 CASignatureAlgorithms = "sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512";
27 RevokedKeys = "/etc/ssh/krl.bin"; 56 RevokedKeys = "/etc/ssh/krl.bin";
57
58 PasswordAuthentication = mkDefault false;
59 KbdInteractiveAuthentication = mkDefault false;
28 }; 60 };
29 moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") config.sops.secrets.ssh_moduli.path; 61 moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") config.sops.secrets.ssh_moduli.path;
30 extraConfig = '' 62 extraConfig = ''
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-21 11:02:54 +0000