~cyplo/dotfiles

ref: 077d5b46ab8e0f39f9ff80865df09e222dc4d01a dotfiles/nixos/server-security.nix -rw-r--r-- 1022 bytes
077d5b46 — Cyryl Płotnicki nvidia drivers for foureighty 6 months ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
{ config, pkgs, ... }:
let
  authorizedKeys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5Ejx5CAPUfHVXi4GL4WmnZaG8eiiOmsW/a0o1bs1GF cyryl@foureighty"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDN/2C59i+ucvSa9FLCHlVPJp0zebLOcw0+hnBYwy0cY cyryl@skinnyv"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJwZ4M6lT2yzg8iarCzsLADAuXS4BUkLTt1+mKCECczk nix-builder@brix"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALNEUIxbENTdhSWzYupGFn/q+AGe0diBOTMyiZAmv7F nix-builder@vultr1"
  ];
in
  {
    imports = [
      ./security.nix
    ];
    security.acme.email = "admin@cyplo.dev";
    security.acme.acceptTerms = true;

    services.fail2ban.enable = true;

    services.openssh = {
      enable = true;
      permitRootLogin = "prohibit-password";
      passwordAuthentication = false;
    };

    users.extraUsers.root.openssh.authorizedKeys.keys = authorizedKeys;
    users.users.nix-builder = {
      isNormalUser = true;
      openssh.authorizedKeys.keys = authorizedKeys;
    };

    nix.trustedUsers = [ "root" "nix-builder" ];
  }