55 lines
1.3 KiB
Nix
55 lines
1.3 KiB
Nix
{
|
|
config,
|
|
flakeSelf,
|
|
...
|
|
}: let
|
|
hostSecrets = "${flakeSelf.inputs.secrets}/" + config.networking.hostName + "/";
|
|
hostKeyPath = "/etc/ssh/winmax2_host_key";
|
|
in {
|
|
age.secrets = {
|
|
winmax2-host-key = {
|
|
file = hostSecrets + "host-private-key.age";
|
|
path = hostKeyPath;
|
|
mode = "0400";
|
|
};
|
|
"winmax2-host-key.pub" = {
|
|
file = hostSecrets + "host-public-key.age";
|
|
path = hostKeyPath + ".pub";
|
|
};
|
|
};
|
|
|
|
users = {
|
|
groups.nixrbld = {};
|
|
users.nixrbld = {
|
|
isSystemUser = true;
|
|
group = "nixrbld";
|
|
openssh.authorizedKeys.keys = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF8v+04ZwqHZRG8P8nxdQt+fGJfzlxHXF0F6jzENb+U6 Remote builder access key"
|
|
];
|
|
};
|
|
};
|
|
|
|
nix.settings.trusted-users = ["nixrbld"];
|
|
|
|
services.openssh = {
|
|
enable = true;
|
|
startWhenNeeded = true;
|
|
# I only want it to be accesible though tailscale
|
|
openFirewall = false;
|
|
allowSFTP = false;
|
|
settings = {
|
|
UseDns = true;
|
|
PermitRootLogin = "no";
|
|
PasswordAuthentication = false;
|
|
AllowUsers = ["nixrbld"];
|
|
};
|
|
hostKeys = [
|
|
{
|
|
path = hostKeyPath;
|
|
type = "ed25519";
|
|
comment = "Everest host key";
|
|
}
|
|
];
|
|
};
|
|
networking.firewall.interfaces.tailscale0.allowedTCPPorts = [22];
|
|
}
|