45 lines
963 B
Nix
45 lines
963 B
Nix
|
{ config, pkgs, ... }:
|
||
|
|
|
||
|
|
let
|
||
|
|
keys = [
|
||
|
|
];
|
||
|
|
|
||
|
|
root.password = config.sops.secrets.password-root.path;
|
||
|
|
in {
|
||
|
|
|
||
|
|
sops.secrets = let def = { neededForUsers = true; };
|
||
|
|
in {
|
||
|
|
"password-root" = def;
|
||
|
|
};
|
||
|
|
|
||
|
|
services.openssh = {
|
||
|
|
enable = true;
|
||
|
|
settings.PermitRootLogin = "no";
|
||
|
|
};
|
||
|
|
|
||
|
|
# protect from ssh spammers
|
||
|
|
services.sshguard.enable = true;
|
||
|
|
|
||
|
|
# disable kernel from logging REFUSED CONNECTIONS messages when we actually drop this traffic
|
||
|
|
networking.firewall.logRefusedConnections = false;
|
||
|
|
|
||
|
|
# enable mosh and open firewall ports
|
||
|
|
programs.mosh.enable = true;
|
||
|
|
|
||
|
|
security.sudo.wheelNeedsPassword = false;
|
||
|
|
|
||
|
|
users.mutableUsers = false;
|
||
|
|
|
||
|
|
users.users.root = {
|
||
|
|
hashedPasswordFile = root.password;
|
||
|
|
openssh.authorizedKeys.keys = keys;
|
||
|
|
};
|
||
|
|
|
||
|
|
# users.users.<username> = {
|
||
|
|
# isNormalUser = true;
|
||
|
|
# extraGroups = [ "wheel" ];
|
||
|
|
# hashedPasswordFile = <username.password>;
|
||
|
|
# openssh.authorizedKeys.keys = <username.keys>;
|
||
|
|
# };
|
||
|
|
}
|