From f17a94c578b3de3e8f46cba68d0d596014514bbe Mon Sep 17 00:00:00 2001 From: clerie Date: Sun, 16 Nov 2025 14:22:50 +0100 Subject: [PATCH] profiles/common-ssh: Migrate common SSH config to profile and pin SSH public hosts keys for net.clerie.de --- configuration/common/default.nix | 1 - configuration/common/ssh.nix | 16 ---------------- profiles/common-ssh/default.nix | 29 +++++++++++++++++++++++++++++ profiles/common/default.nix | 3 +-- profiles/default.nix | 1 + 5 files changed, 31 insertions(+), 19 deletions(-) delete mode 100644 configuration/common/ssh.nix create mode 100644 profiles/common-ssh/default.nix diff --git a/configuration/common/default.nix b/configuration/common/default.nix index e0c17af..3e3d0b3 100644 --- a/configuration/common/default.nix +++ b/configuration/common/default.nix @@ -8,7 +8,6 @@ ./locale.nix ./networking.nix ./programs.nix - ./ssh.nix ./systemd.nix ./user.nix ]; diff --git a/configuration/common/ssh.nix b/configuration/common/ssh.nix deleted file mode 100644 index e62aab5..0000000 --- a/configuration/common/ssh.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ lib, ... }: - -{ - - services.openssh.enable = true; - services.openssh.settings = { - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; - PermitRootLogin = lib.mkDefault "no"; - }; - services.openssh.hostKeys = lib.mkForce [ - # Only create ed25519 host keys - { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } - ]; - -} diff --git a/profiles/common-ssh/default.nix b/profiles/common-ssh/default.nix new file mode 100644 index 0000000..f01a304 --- /dev/null +++ b/profiles/common-ssh/default.nix @@ -0,0 +1,29 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + + options.profiles.clerie.common-ssh = { + enable = mkEnableOption "Common ssh config"; + }; + + config = mkIf config.profiles.clerie.common-ssh.enable { + + services.openssh.enable = true; + services.openssh.settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = lib.mkDefault "no"; + }; + services.openssh.hostKeys = lib.mkForce [ + # Only create ed25519 host keys + { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + + programs.ssh.knownHostsFiles = [ + (pkgs.clerie-ssh-known-hosts + "/known_hosts") + ]; + + }; +} diff --git a/profiles/common/default.nix b/profiles/common/default.nix index 5210dfb..c6aaf6d 100644 --- a/profiles/common/default.nix +++ b/profiles/common/default.nix @@ -11,10 +11,9 @@ with lib; config = mkIf config.profiles.clerie.common.enable { profiles.clerie.common-dns.enable = mkDefault true; - profiles.clerie.common-networking.enable = mkDefault true; profiles.clerie.common-nix.enable = mkDefault true; - + profiles.clerie.common-ssh.enable = mkDefault true; profiles.clerie.common-webserver.enable = mkDefault true; profiles.clerie.hetzner-storage-box-client.enable = mkDefault true; diff --git a/profiles/default.nix b/profiles/default.nix index 9bdf3dd..14e7150 100644 --- a/profiles/default.nix +++ b/profiles/default.nix @@ -7,6 +7,7 @@ ./common-dns ./common-networking ./common-nix + ./common-ssh ./common-webserver ./cybercluster-vm ./desktop