feat: sane ssh defaults

2025-03-10 18:30:20 +03:00 · 2025-03-10 18:30:20 +03:00 · 73c86aa500
commit 73c86aa500
parent 05db810079
2 changed files with 28 additions and 0 deletions
--- a/modules/nixos/roles/default.nix
+++ b/modules/nixos/roles/default.nix
@ -33,6 +33,7 @@ in
      baseRole = {
        ataraxia.defaults.lix.enable = mkDefault true;
        ataraxia.defaults.nix.enable = mkDefault true;
+        ataraxia.defaults.ssh.enable = mkDefault true;

        persist.enable = mkDefault true;

--- a/modules/nixos/ssh/default.nix
+++ b/modules/nixos/ssh/default.nix
@ -0,0 +1,27 @@
+{ config, lib, ... }:
+let
+  inherit (lib) mkIf mkEnableOption mkOption;
+  inherit (lib.types) listOf int;
+  cfg = config.ataraxia.defaults.ssh;
+in
+{
+  options.ataraxia.defaults.ssh = {
+    enable = mkEnableOption "Root on zfs";
+    ports = mkOption {
+      type = listOf int;
+      default = [ 22 ];
+      description = "OpenSSH ports to listen";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.openssh = {
+      enable = true;
+      settings.PasswordAuthentication = false;
+      settings.PermitRootLogin = "no";
+      settings.X11Forwarding = false;
+      extraConfig = "StreamLocalBindUnlink yes";
+      ports = cfg.ports;
+    };
+  };
+}