configuration.nix
1 { inputs, config, pkgs, lib, modulesPath, hostname, modulespath, ... }: 2 3 { 4 imports = [ 5 ../../modules/virtualization/lxc/proxmox-lxc.nix 6 ]; 7 8 #modules.security.sshd.enable = true; 9 # services.openssh.extraConfig = '' 10 # HostCertificate /nix/store/b9rl7fpkjzsk0l2rj5ybazyh8x3zh1ay-z6MkwaBokT3KKfHg3yfxoDNTqm243smw8rAuf5K4Q9rJromm-cert.pub 11 # ''; 12 13 home-manager = import ../../home-manager; 14 15 systemd = { 16 timers.ssh-ca = { 17 description = "ssh-ca"; 18 wantedBy = [ "timers.target" ]; 19 requires = [ "network-online.target" ]; 20 timerConfig = { 21 OnBootSec = "5min"; 22 OnCalendar = "daily"; 23 Persistent = true; 24 }; 25 }; 26 services.ssh-ca = { 27 description = "ssh-ca"; 28 enableStrictShellChecks = true; 29 script = '' 30 if test -f /home/enroll/enrollment-inventory/.scripts/ssh-sign.sh 31 then 32 cd /home/enroll/enrollment-inventory/.scripts 33 "${pkgs.bash}/bin/bash" -x /home/enroll/enrollment-inventory/.scripts/ssh-sign.sh 34 fi 35 ''; 36 path = with pkgs; [ 37 git 38 openssh 39 jq 40 radicle-node 41 ]; 42 serviceConfig = { 43 User = "enroll"; 44 Group = "users"; 45 Type = "oneshot"; 46 Restart = "on-failure"; 47 TTYPath = "/dev/tty2"; 48 WorkingDirectory = "/home/enroll"; 49 NoNewPrivileges = true; 50 ProtectControlGroups = true; 51 ProtectKernelTunables = true; 52 ProtectKernelModules = true; 53 ProtectKernelLogs = true; 54 ProtectHostname = true; 55 ProtectClock = true; 56 ProtectSystem = "full"; 57 RestrictSUIDSGID = true; 58 RestrictRealtime = true; 59 LockPersonality = true; 60 PrivateTmp = true; 61 ProcSubset = "pid"; 62 }; 63 wantedBy = [ "multi-user.target" ]; 64 }; 65 }; 66 67 networking = { 68 hostName = hostname; 69 firewall = { 70 enable = true; 71 allowedTCPPorts = [ ]; 72 allowedUDPPorts = [ ]; 73 }; 74 }; 75 }