lyrathorpe/nixfiles
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

feat(nixos): key-only sshd hardening on T400 and Mac Pro

Browse Source 
New system/modules/ssh.nix disables password and keyboard-interactive
auth and root login, and installs the authorized key for the primary
user. Imported by the two hosts that run sshd; each still enables the
service and opens port 22 in its own config.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Emma Thorpe
2026-06-10 16:22:12 +01:00
parent bdfc27cf93
commit 93571386bd
2 changed files with 21 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
flake.nix
+2
View File
@@ -238,6 +238,7 @@
modules = [ modules = [
./system/machine/T400/configuration.nix ./system/machine/T400/configuration.nix
./system/modules/laptop.nix ./system/modules/laptop.nix
./system/modules/ssh.nix
# No t400-specific profile exists; compose the generic ThinkPad + # No t400-specific profile exists; compose the generic ThinkPad +
# laptop/SSD/Intel building blocks (tp_smapi/acpi_call for battery # laptop/SSD/Intel building blocks (tp_smapi/acpi_call for battery
# thresholds, SSD + microcode defaults). # thresholds, SSD + microcode defaults).
@@ -261,6 +262,7 @@
modules = [ modules = [
./system/machine/MacPro31/configuration.nix ./system/machine/MacPro31/configuration.nix
./system/modules/desktop.nix ./system/modules/desktop.nix
./system/modules/ssh.nix
inputs.nixos-hardware.nixosModules.common-pc-ssd inputs.nixos-hardware.nixosModules.common-pc-ssd
inputs.nixos-hardware.nixosModules.common-cpu-intel inputs.nixos-hardware.nixosModules.common-cpu-intel
./lyrathorpe/swaywm.nix ./lyrathorpe/swaywm.nix
system/modules/ssh.nix
+19
View File
@@ -0,0 +1,19 @@
# Key-only SSH hardening, imported by the hosts that run sshd (T400, Mac Pro).
# The host config still does `services.openssh.enable = true` and opens port 22
# next to where it documents the listening service; this module only tightens
# the policy and installs the authorized key, so a host opting into sshd cannot
# accidentally ship password/root login.
{ username, ... }:
{
services.openssh.settings = {
PasswordAuthentication = false; # keys only
KbdInteractiveAuthentication = false; # no keyboard-interactive fallback
PermitRootLogin = "no";
};
# The key permitted to log in as the primary user. Add more entries here as
# new client machines are provisioned.
users.users.${username}.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDxHvdMTOzpFWUFMtCP7C/4tIOUO3GIO2QPvaifSnWH lyrathorpe@Lyra-MBA"
];
}