diff --git a/common/default.nix b/common/default.nix index f4df83a..9591eba 100644 --- a/common/default.nix +++ b/common/default.nix @@ -1,5 +1,10 @@ { config, pkgs, ... }: +let + ssh = import ./ssh.nix; + sshUserKeys = ssh.users; + sshHigherTrustKeys = ssh.higherTrustUserKeys; +in { imports = [ ./flakes.nix @@ -23,7 +28,10 @@ time.timeZone = "America/Denver"; i18n.defaultLocale = "en_US.UTF-8"; - services.openssh.enable = true; + services.openssh = { + enable = true; + passwordAuthentication = false; + }; programs.mosh.enable = true; environment.systemPackages = with pkgs; [ @@ -54,10 +62,13 @@ "dialout" # serial ]; shell = pkgs.fish; - openssh.authorizedKeys.keys = (import ./ssh.nix).users; + openssh.authorizedKeys.keys = sshUserKeys; hashedPassword = "$6$TuDO46rILr$gkPUuLKZe3psexhs8WFZMpzgEBGksE.c3Tjh1f8sD0KMC4oV89K2pqAABfl.Lpxu2jVdr5bgvR5cWnZRnji/r/"; uid = 1000; }; + users.users.root = { + openssh.authorizedKeys.keys = sshHigherTrustKeys; + }; nix.trustedUsers = [ "root" "googlebot" ]; nix.gc.automatic = true; diff --git a/common/ssh.nix b/common/ssh.nix index 8fb554a..4d505bd 100644 --- a/common/ssh.nix +++ b/common/ssh.nix @@ -4,7 +4,7 @@ rec { "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0dcqL/FhHmv+a1iz3f9LJ48xubO7MZHy35rW9SZOYM" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHSkKiRUUmnErOKGx81nyge/9KqjkPh8BfDk0D3oP586" # nat "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeTK1iARlNIKP/DS8/ObBm9yUM/3L1Ub4XI5A2r9OzP" # ray - ]; + ] ++ higherTrustUserKeys; system = { liza = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDY/pNyWedEfU7Tq9ikGbriRuF1ZWkHhegGS17L0Vcdl"; liza-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ6eMKW7jBNUKm2r9zEoape4s3KVrmLTLC0nkW9t/8JK"; @@ -24,6 +24,10 @@ rec { n7 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPtOlOvTlMX2mxPaXDJ6VlMe5rmroUXpKmJVNxgV32xL"; }; + higherTrustUserKeys = [ + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEaGIwLiUa6wQLlEF+keQOIYy/tCmJvV6eENzUQjSqW2AAAABHNzaDo=" # ray fido + ]; + # groups systems = with system; [ liza