Harden OpenSSH
This commit is contained in:
parent
99bdbd6b59
commit
cc80f0afa7
3 changed files with 21 additions and 7 deletions
10
flake.nix
10
flake.nix
|
|
@ -51,8 +51,10 @@
|
|||
# Import all nixos host definitions that are actual nix machines
|
||||
nixHosts = filter ({ nix ? true, ... }: nix) hosts;
|
||||
|
||||
pkgs = serokell-nix.lib.pkgsWith nixpkgs.legacyPackages.${system}
|
||||
[ vault-secrets.overlay ];
|
||||
pkgs = serokell-nix.lib.pkgsWith nixpkgs.legacyPackages.${system} [ vault-secrets.overlay ];
|
||||
|
||||
deployChecks = mapAttrs (_: lib: lib.deployChecks self.deploy) deploy-rs.lib;
|
||||
checks = {};
|
||||
in {
|
||||
# Make the config and deploy sets
|
||||
nixosConfigurations = lib.foldr (el: acc: acc // mkConfig el) { } nixHosts;
|
||||
|
|
@ -70,7 +72,7 @@
|
|||
|
||||
# Use by running `nix develop`
|
||||
devShell.${system} = pkgs.mkShell {
|
||||
VAULT_ADDR = "http://10.42.42.6:8200/";
|
||||
VAULT_ADDR = "http://vault.olympus:8200/";
|
||||
# This only support bash so just execute zsh in bash as a workaround :/
|
||||
buildInputs = with pkgs; [
|
||||
deploy-rs.packages.${system}.deploy-rs
|
||||
|
|
@ -87,6 +89,6 @@
|
|||
];
|
||||
};
|
||||
|
||||
checks = mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
|
||||
checks = lib.recursiveUpdate deployChecks checks;
|
||||
};
|
||||
}
|
||||
|
|
|
|||
11
hosts.nix
11
hosts.nix
|
|
@ -21,6 +21,7 @@
|
|||
hostname = "bastion";
|
||||
ip = "10.42.42.4";
|
||||
mac = "82:F0:7C:CB:BD:6D";
|
||||
ip6 = "2001:41f0:9639:1:80f0:7cff:fecb:bd6d";
|
||||
lxc = false;
|
||||
}
|
||||
{
|
||||
|
|
@ -37,12 +38,13 @@
|
|||
hostname = "home-assistant";
|
||||
ip = "10.42.42.8";
|
||||
ip6 = "2001:41f0:9639:1:bfe7:3fd9:75de:cbee";
|
||||
mac = "74:40:be:48:85:a4";
|
||||
mac = "9E:60:78:ED:81:B4";
|
||||
nix = false;
|
||||
}
|
||||
{
|
||||
hostname = "nginx";
|
||||
ip = "10.42.42.9";
|
||||
ip6 = "2001:41f0:9639:1:68c2:89ff:fe85:cfa6";
|
||||
mac = "6A:C2:89:85:CF:A6";
|
||||
}
|
||||
{
|
||||
|
|
@ -86,4 +88,11 @@
|
|||
mac = "1C:69:7A:62:30:88";
|
||||
nix = false;
|
||||
}
|
||||
{
|
||||
hostname = "eevee";
|
||||
ip = "10.42.42.69";
|
||||
ip6 = "2001:41f0:9639:1:a83:e416:dc99:5ed3";
|
||||
mac = "34:97:f6:93:9A:AA";
|
||||
nix = false;
|
||||
}
|
||||
]
|
||||
|
|
|
|||
|
|
@ -45,12 +45,15 @@
|
|||
'';
|
||||
|
||||
# Enable SSH daemon support.
|
||||
services.openssh.enable = true;
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
passwordAuthentication = false;
|
||||
permitRootLogin = "no";
|
||||
};
|
||||
|
||||
vault-secrets = {
|
||||
vaultPrefix = "nixos";
|
||||
vaultAddress = "http://vault.olympus:8200/";
|
||||
approlePrefix = "olympus-${config.networking.hostName}";
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue