Feat: Some security for ssh

Yes, root login is in itself a bad thing, but reducing the attack surface somewhat should be a good first step to a bright future.
author: ene <ene@sils.li> 2023-01-07 21:06:45 +0100
committer: ene <ene@sils.li> 2023-01-07 21:06:45 +0100
commit: 78aae0bda1053235c0fc43556dbd0b58fd4aea8b (patch)
tree: 6745f07b44524b73ece4244e6318bdecdd10da9c
parent: Format: First formatting with Alejandra (diff)
download: nixos-server-78aae0bda1053235c0fc43556dbd0b58fd4aea8b.zip
1 files changed, 9 insertions, 3 deletions
diff --git a/configuration.nix b/configuration.nix
index dd6b7a8..852a6ee 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -2,19 +2,25 @@
   imports = [
     ./hardware-configuration.nix
     ./packages.nix
-    ./networking.nix # generated at runtime by nixos-infect
+    ./networking.nix # network configuration that just works
   ];
 
   boot.cleanTmpDir = true;
   zramSwap.enable = true;
   networking.hostName = "server1";
   networking.domain = "vhack.eu";
-  services.openssh.enable = true;
+
+  # openssh config
+  services.openssh = {
+    enable = true;
+    passwordAuthentication = false;
+    extraConfig = "PrintMotd yes\n"; # this could be done with pam
+  };
   users.users.root.openssh.authorizedKeys.keys = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2mYuiOuIb13E3wJRYPHOFN/dR5ySFozG2I/18HBSRJ dt@DESKTOP-IDOHVE"
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha"
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils"
   ];
 
   system.stateVersion = "22.11";
 }
+# vim: ts=2
author	ene <ene@sils.li>	2023-01-07 21:06:45 +0100
committer	ene <ene@sils.li>	2023-01-07 21:06:45 +0100
commit	78aae0bda1053235c0fc43556dbd0b58fd4aea8b (patch)
tree	6745f07b44524b73ece4244e6318bdecdd10da9c
parent	Format: First formatting with Alejandra (diff)
download	nixos-server-78aae0bda1053235c0fc43556dbd0b58fd4aea8b.zip