Adjust sshd settings

Allow root login via key only Prune number of authorised keys
2023-10-22 06:52:38 +01:00 · 2023-10-22 06:52:38 +01:00 · 7538f6bd4b
parent 64109cf380
commit 7538f6bd4b
3 changed files with 14 additions and 11 deletions
--- a/flake.nix
+++ b/flake.nix
@ -167,8 +167,17 @@
                  };
                };
              };
-              users.users = {
-                root.shell = pkgs.${shell};
+              users.users = let
+                authorizedKeys.keys = [
+                  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINI1dWlS16Keil0MGPWmMsBzx8F9ylfz+fRwxUr8/tZ/ ion"
+                  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANfkqd5lPTsSPU3SRYnAa1UjCYDmDeBTyzq5McmWlm6 xenia@Vanguard"
+                  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ/ZSSCN5sqrA+tdoIZr5EUm5DRuBV4dQ7J+QBEtUwUU xenia@Northstar"
+                ];
+              in {
+                root = {
+                  shell = pkgs.${shell};
+                  openssh = { inherit authorizedKeys; };
+                };
                ${user} = {
                  inherit group;
                  isNormalUser = true;
@ -177,13 +186,7 @@
                  shell = pkgs.${shell};
                  initialHashedPassword =
                    "$y$j9T$tHIPQt09Kf3KH2eIRze3g/$2mwSlcq27DTGvHNPJ5EP9/1CfL3bXP0F6oS/Vuffmn3";
-                  openssh.authorizedKeys.keys = [
-                    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANfkqd5lPTsSPU3SRYnAa1UjCYDmDeBTyzq5McmWlm6 xenia@Vanguard"
-                    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINI1dWlS16Keil0MGPWmMsBzx8F9ylfz+fRwxUr8/tZ/ ion"
-                    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDI44C35I2x9tqzeZDmIpbzmGJWXfATn/Wp5KzVRdlCi root@debian"
-                    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKMVEXJTqWkrpmvinPJGsSvome9bCd0CM4iu13aVG6UZ elitherl@Ronin"
-                    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ/ZSSCN5sqrA+tdoIZr5EUm5DRuBV4dQ7J+QBEtUwUU xenia@Northstar"
-                  ];
+                  openssh = { inherit authorizedKeys; };
                };
              };
              home-manager = {
--- a/home/default.nix
+++ b/home/default.nix
@ -61,7 +61,7 @@
      matchBlocks = {
        "git*".user = "git";
        "legion" = {
-          user = "xenia";
+          user = "root";
          hostname = "192.168.1.230";
        };
        "ionos" = {
--- a/services/sshd/default.nix
+++ b/services/sshd/default.nix
@ -6,7 +6,7 @@
    ports = [ 22 ];
    settings = {
      UseDns = true;
-      PermitRootLogin = "no";
+      PermitRootLogin = "without-password";
      PasswordAuthentication = false;
      GatewayPorts = "yes";
      LogLevel = "VERBOSE";