59 lines
1.5 KiB
Nix
59 lines
1.5 KiB
Nix
{ config
|
|
, lib
|
|
, pkgs
|
|
, xinlib
|
|
, ...
|
|
}:
|
|
let
|
|
myOpenSSH = pkgs.pkgsMusl.callPackage ../pkgs/openssh.nix {
|
|
inherit config;
|
|
inherit xinlib;
|
|
};
|
|
in
|
|
{
|
|
config = {
|
|
programs = {
|
|
ssh = {
|
|
package = lib.mkDefault myOpenSSH;
|
|
agentPKCS11Whitelist = "${pkgs.opensc}/lib/opensc-pkcs11.so";
|
|
knownHosts = {
|
|
"[namish.otter-alligator.ts.net]:2222".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9jlU5XATs8N90mXuCqrflwOJ+s3s7LefDmFZBx8cCk";
|
|
"[git.tapenet.org]:2222".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOkbSJWeWJyJjak/boaMTqzPVq91wfJz1P+I4rnBUsPW";
|
|
};
|
|
knownHostsFiles = [ ./ssh_known_hosts ];
|
|
startAgent = true;
|
|
agentTimeout = "100m";
|
|
extraConfig = ''
|
|
Host *
|
|
controlmaster auto
|
|
controlpath /tmp/ssh-%r@%h:%p
|
|
|
|
VerifyHostKeyDNS yes
|
|
CanonicalizeHostname always
|
|
'';
|
|
};
|
|
};
|
|
|
|
services = {
|
|
openssh = {
|
|
enable = true;
|
|
extraConfig = ''
|
|
TrustedUserCAKeys = /etc/ssh/ca.pub
|
|
'';
|
|
settings = {
|
|
UsePAM = false;
|
|
PrintMotd = true;
|
|
PermitRootLogin = "prohibit-password";
|
|
PasswordAuthentication = false;
|
|
KexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
|
|
Macs = [
|
|
"hmac-sha2-512-etm@openssh.com"
|
|
"hmac-sha2-256-etm@openssh.com"
|
|
"umac-128-etm@openssh.com"
|
|
];
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|