From 72ed799826a5063879de94994492838236a8736a Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Wed, 7 Jan 2026 20:40:09 +0100 Subject: [PATCH] nebula/sshd: Only allow key auth --- modules/home/programs/git.nix | 12 ++++------ modules/home/programs/ssh.nix | 29 +++++++++++++++++++++++++ modules/system/services/nebula/sshd.nix | 23 ++++++++++++++++++-- users/seb/@desktop/keys/ssh.pub | 1 + users/seb/@laptop/keys/ssh.pub | 1 + users/seb/home.nix | 1 + 6 files changed, 57 insertions(+), 10 deletions(-) create mode 100644 modules/home/programs/ssh.nix create mode 100644 users/seb/@desktop/keys/ssh.pub create mode 100644 users/seb/@laptop/keys/ssh.pub diff --git a/modules/home/programs/git.nix b/modules/home/programs/git.nix index 176e4a5..a2488f7 100644 --- a/modules/home/programs/git.nix +++ b/modules/home/programs/git.nix @@ -39,15 +39,11 @@ }; }; - ssh = { - enable = true; - enableDefaultConfig = false; - matchBlocks = - config.custom.sops.secrets.ssh-key - |> lib.mapAttrs (name: _: { identityFile = config.sops.secrets."ssh-key/${name}".path; }); - }; - lazygit.enable = true; + + ssh.matchBlocks = + config.custom.sops.secrets.ssh-key + |> lib.mapAttrs (name: _: { identityFile = config.sops.secrets."ssh-key/${name}".path; }); }; }; } diff --git a/modules/home/programs/ssh.nix b/modules/home/programs/ssh.nix new file mode 100644 index 0000000..a82fd05 --- /dev/null +++ b/modules/home/programs/ssh.nix @@ -0,0 +1,29 @@ +{ + config, + self, + lib, + ... +}@moduleArgs: +let + cfg = config.custom.programs.ssh; +in +{ + options.custom.programs.ssh = { + enable = lib.mkEnableOption ""; + hostName = lib.mkOption { + type = lib.types.nonEmptyStr; + default = moduleArgs.osConfig.networking.hostName or ""; + }; + publicKeyPath = lib.mkOption { + type = lib.types.path; + default = "${self}/users/${config.home.username}/@${cfg.hostName}/keys/ssh.pub"; + }; + }; + + config = lib.mkIf config.custom.programs.ssh.enable { + programs.ssh = { + enable = true; + enableDefaultConfig = false; + }; + }; +} diff --git a/modules/system/services/nebula/sshd.nix b/modules/system/services/nebula/sshd.nix index 3164c45..eba37e7 100644 --- a/modules/system/services/nebula/sshd.nix +++ b/modules/system/services/nebula/sshd.nix @@ -1,4 +1,9 @@ -{ config, lib, ... }: +{ + config, + self, + lib, + ... +}: let cfg = config.custom.services.nebula.node; in @@ -25,13 +30,18 @@ in addr = cfg.address; inherit (cfg.sshd) port; }; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = "no"; + }; }; nebula.networks.mesh.firewall.inbound = config.custom.services.nebula.peers |> lib.filter (node: node.isClient) |> lib.map (nebula: { - port = "22"; + inherit (cfg.sshd) port; proto = "tcp"; host = nebula.name; }); @@ -41,5 +51,14 @@ in requires = [ "nebula@mesh.service" ]; after = [ "nebula@mesh.service" ]; }; + + users.users.seb.openssh.authorizedKeys.keyFiles = + self.nixosConfigurations + |> lib.filterAttrs (name: _: name != config.networking.hostName) + |> lib.attrValues + |> lib.filter (value: value.config |> lib.hasAttr "home-manager") + |> lib.map (value: value.config.home-manager.users.seb.custom.programs.ssh) + |> lib.filter (ssh: ssh.enable) + |> lib.map (ssh: ssh.publicKeyPath); }; } diff --git a/users/seb/@desktop/keys/ssh.pub b/users/seb/@desktop/keys/ssh.pub new file mode 100644 index 0000000..82cd334 --- /dev/null +++ b/users/seb/@desktop/keys/ssh.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBUORYC3AvTPQmtUEApTa9DvHoJy4mjuQy8abSjCcDd seb@desktop diff --git a/users/seb/@laptop/keys/ssh.pub b/users/seb/@laptop/keys/ssh.pub new file mode 100644 index 0000000..4cff3a0 --- /dev/null +++ b/users/seb/@laptop/keys/ssh.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID1WFOdZCvfb1ZRycBGK0x+3viQpkkl6CQ3cV/Mf3gAJ seb@laptop diff --git a/users/seb/home.nix b/users/seb/home.nix index b0965b0..7aaee10 100644 --- a/users/seb/home.nix +++ b/users/seb/home.nix @@ -27,6 +27,7 @@ aliases.enable = true; direnv.enable = true; }; + ssh.enable = true; git.enable = true; kitty.enable = true; vscode.enable = true;