diff options
author | ene <ene@sils.li> | 2023-01-07 21:06:45 +0100 |
---|---|---|
committer | ene <ene@sils.li> | 2023-01-07 21:06:45 +0100 |
commit | 78aae0bda1053235c0fc43556dbd0b58fd4aea8b (patch) | |
tree | 6745f07b44524b73ece4244e6318bdecdd10da9c /configuration.nix | |
parent | Format: First formatting with Alejandra (diff) | |
download | nixos-server-78aae0bda1053235c0fc43556dbd0b58fd4aea8b.tar.gz nixos-server-78aae0bda1053235c0fc43556dbd0b58fd4aea8b.zip |
Feat: Some security for ssh
Yes, root login is in itself a bad thing, but reducing the attack surface somewhat should be a good first step to a bright future.
Diffstat (limited to 'configuration.nix')
-rw-r--r-- | configuration.nix | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/configuration.nix b/configuration.nix index dd6b7a8..852a6ee 100644 --- a/configuration.nix +++ b/configuration.nix @@ -2,19 +2,25 @@ imports = [ ./hardware-configuration.nix ./packages.nix - ./networking.nix # generated at runtime by nixos-infect + ./networking.nix # network configuration that just works ]; boot.cleanTmpDir = true; zramSwap.enable = true; networking.hostName = "server1"; networking.domain = "vhack.eu"; - services.openssh.enable = true; + + # openssh config + services.openssh = { + enable = true; + passwordAuthentication = false; + extraConfig = "PrintMotd yes\n"; # this could be done with pam + }; users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2mYuiOuIb13E3wJRYPHOFN/dR5ySFozG2I/18HBSRJ dt@DESKTOP-IDOHVE" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils" ]; system.stateVersion = "22.11"; } +# vim: ts=2 |