v/infrastructure
1
0
Fork 0
Code Issues 13 Pull requests 1 Projects Releases Packages Activity Actions

Harden OpenSSH

Browse source
This commit is contained in:
Vivian 2021-11-23 17:44:00 +01:00
parent e638c9aa5a
commit d5e2e248e3
3 changed files with 21 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
flake.nix
View file

@ -51,8 +51,10 @@
# Import all nixos host definitions that are actual nix machines # Import all nixos host definitions that are actual nix machines
nixHosts = filter ({ nix ? true, ... }: nix) hosts; nixHosts = filter ({ nix ? true, ... }: nix) hosts;
pkgs = serokell-nix.lib.pkgsWith nixpkgs.legacyPackages.${system} pkgs = serokell-nix.lib.pkgsWith nixpkgs.legacyPackages.${system} [ vault-secrets.overlay ];
[ vault-secrets.overlay ];
deployChecks = mapAttrs (_: lib: lib.deployChecks self.deploy) deploy-rs.lib;
checks = {};
in { in {
# Make the config and deploy sets # Make the config and deploy sets
nixosConfigurations = lib.foldr (el: acc: acc // mkConfig el) { } nixHosts; nixosConfigurations = lib.foldr (el: acc: acc // mkConfig el) { } nixHosts;
@ -70,7 +72,7 @@
# Use by running `nix develop` # Use by running `nix develop`
devShell.${system} = pkgs.mkShell { devShell.${system} = pkgs.mkShell {
VAULT_ADDR = "http://10.42.42.6:8200/"; VAULT_ADDR = "http://vault.olympus:8200/";
# This only support bash so just execute zsh in bash as a workaround :/ # This only support bash so just execute zsh in bash as a workaround :/
buildInputs = with pkgs; [ buildInputs = with pkgs; [
deploy-rs.packages.${system}.deploy-rs deploy-rs.packages.${system}.deploy-rs
@ -87,6 +89,6 @@
]; ];
}; };
checks = mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; checks = lib.recursiveUpdate deployChecks checks;
}; };
} }

11
hosts.nix
View file

@ -21,6 +21,7 @@
hostname = "bastion"; hostname = "bastion";
ip = "10.42.42.4"; ip = "10.42.42.4";
mac = "82:F0:7C:CB:BD:6D"; mac = "82:F0:7C:CB:BD:6D";
ip6 = "2001:41f0:9639:1:80f0:7cff:fecb:bd6d";
lxc = false; lxc = false;
} }
{ {
@ -37,12 +38,13 @@
hostname = "home-assistant"; hostname = "home-assistant";
ip = "10.42.42.8"; ip = "10.42.42.8";
ip6 = "2001:41f0:9639:1:bfe7:3fd9:75de:cbee"; ip6 = "2001:41f0:9639:1:bfe7:3fd9:75de:cbee";
mac = "74:40:be:48:85:a4"; mac = "9E:60:78:ED:81:B4";
nix = false; nix = false;
} }
{ {
hostname = "nginx"; hostname = "nginx";
ip = "10.42.42.9"; ip = "10.42.42.9";
ip6 = "2001:41f0:9639:1:68c2:89ff:fe85:cfa6";
mac = "6A:C2:89:85:CF:A6"; mac = "6A:C2:89:85:CF:A6";
} }
{ {
@ -86,4 +88,11 @@
mac = "1C:69:7A:62:30:88"; mac = "1C:69:7A:62:30:88";
nix = false; nix = false;
} }
{
hostname = "eevee";
ip = "10.42.42.69";
ip6 = "2001:41f0:9639:1:a83:e416:dc99:5ed3";
mac = "34:97:f6:93:9A:AA";
nix = false;
}
] ]

7
nixos/common/default.nix
View file

@ -45,12 +45,15 @@
''; '';
# Enable SSH daemon support. # Enable SSH daemon support.
services.openssh.enable = true; services.openssh = {
enable = true;
passwordAuthentication = false;
permitRootLogin = "no";
};
vault-secrets = { vault-secrets = {
vaultPrefix = "nixos"; vaultPrefix = "nixos";
vaultAddress = "http://vault.olympus:8200/"; vaultAddress = "http://vault.olympus:8200/";
approlePrefix = "olympus-${config.networking.hostName}"; approlePrefix = "olympus-${config.networking.hostName}";
}; };
} }