mirror of
https://github.com/gensokyo-zone/infrastructure.git
synced 2026-02-10 04:49:19 -08:00
41 lines
1 KiB
Nix
41 lines
1 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
...
|
|
}: let
|
|
inherit (lib.modules) mkIf mkDefault;
|
|
inherit (lib.lists) head;
|
|
cfg = config.services.openssh;
|
|
publicPort = 62954;
|
|
in {
|
|
/*
|
|
security.pam.services.sshd.text = mkDefault (mkAfter ''
|
|
session required pam_exec.so ${katnotify}/bin/notify
|
|
'');
|
|
*/
|
|
|
|
services.openssh = {
|
|
enable = mkDefault true;
|
|
ports = [publicPort 22];
|
|
openFirewall = mkDefault false;
|
|
settings = {
|
|
PasswordAuthentication = mkDefault false;
|
|
KbdInteractiveAuthentication = mkDefault false;
|
|
PermitRootLogin = mkDefault "prohibit-password";
|
|
KexAlgorithms = ["curve25519-sha256@libssh.org"];
|
|
PubkeyAcceptedAlgorithms = mkDefault "+ssh-rsa";
|
|
StreamLocalBindUnlink = mkDefault "yes";
|
|
LogLevel = mkDefault "VERBOSE";
|
|
};
|
|
};
|
|
networking.firewall = {
|
|
allowedTCPPorts = [publicPort];
|
|
interfaces.local.allowedTCPPorts = [22];
|
|
};
|
|
|
|
programs.mosh.enable = true;
|
|
|
|
boot.initrd.network.ssh = mkIf cfg.enable {
|
|
port = mkDefault (head cfg.ports);
|
|
};
|
|
}
|