feature(ssh): add more security to the ssh config

Reviewed-on: #20

INSTALLATION.md

@@ -0,0 +1,125 @@
+# basic system installation
+
+- The installations presented in this repository are always luks encrypted
+- For simplicity I'm using device labels rather than uuids
+
+1. the partitioning layout should look somewhat like this after the installation
+
+```bash
+NAME               MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
+nvme0n1            259:0    0 476.9G  0 disk
+├─nvme0n1p1        259:1    0     2G  0 part  /boot
+└─nvme0n1p2        259:2    0 474.9G  0 part
+  └─cryptroot      254:0    0 474.9G  0 crypt
+    ├─lvmroot-swap 254:1    0    20G  0 lvm   [SWAP]
+    ├─lvmroot-home 254:2    0   250G  0 lvm   /home
+    └─lvmroot-root 254:3    0 204.9G  0 lvm   /nix/store
+``` 
+
+2. prepare the installation
+
+```bash
+# format the boot partition
+mkfs.fat -F 32 /dev/sda1 -n "nixboot"
+# create an encrypted partition
+cryptsetup luksFormat -y --label="nixcrypt" /dev/sda2
+# open the encrypted partition and map it to /dev/mapper/cryptroot
+cryptsetup luksOpen /dev/sda2 cryptroot
+
+# create the physical volume
+pvcreate /dev/mapper/cryptroot
+# create a volume group inside
+vgcreate lvmroot /dev/mapper/cryptroot
+# create the swap volume
+lvcreate --size 8G lvmroot --name nwap
+# if you desire, create a home volume
+lvcreate --size 150G lvmroot --name home
+# create the root volume
+lvcreate -l 100%FREE lvmroot --name root
+
+# format as usual for root partition
+mkfs.ext4 -L "nixroot" /dev/mapper/lvmroot-root
+# if you previously made the home partition, do it too
+mkfs.ext4 -L "nixhome" /dev/mapper/lvmroot-home
+# format the swap partition
+mkswap -L "nixswap" /dev/mapper/lvmroot-swap
+
+# mount root
+mount /dev/disk/by-label/nixroot /mnt
+# mount boot
+mount --mkdir /dev/sda1 /mnt/boot
+# again, if you did the home volume
+mount --mkdir /dev/disk/by-label/nixhome /mnt/home
+# turn on swap
+swapon /dev/disk/by-label/nixswap
+```
+
+3. prepare nixos
+
+```bash
+# generate templates and update the hardware-configuration.nix
+sudo nixos-generate-config --root /mnt
+
+# add cryptd to the kernelModules
+boot.initrd.kernelModules = [ "dm-snapshot" "cryptd" ];
+
+# add file systems using labels
+fileSystems."/" =
+  { device = "/dev/disk/by-label/nixroot";
+    fsType = "ext4";
+  };
+fileSystems."/boot" =
+  { device = "/dev/disk/by-label/nixboot";
+    fsType = "vfat";
+    options = [ "fmask=0022" "dmask=0022" ];
+  };
+fileSystems."/home" =
+  { device = "/dev/disk/by-label/nixhome";
+    fsType = "ext4";
+  };
+swapDevices =
+  [ { device = "/dev/disk/by-label/nixswap"; }
+  ];
+
+# point the bootloader to the luks device
+boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-label/nixcrypt";
+```
+
+4. install nixos
+
+```bash
+cd /mnt
+sudo nixos-install
+```
+
+## how to deploy the inital config
+
+- Don't forget to install the bootloader, if you changed it since `nixos-install`
+
+```bash
+$ sudo nixos-rebuild --install-bootloader switch --flake .#host_name
+```
+
+## how to upgrade the system
+
+```bash
+$ cd /path/to/repo
+$ sudo nix flake update
+$ sudo nixos-rebuild switch --flake .#host_name
+$ sudo nix-collect-garbage
+```
+
+## how to use nix-helper
+
+The tool nix-helper is installed by this configuration. It simplifies administrating nixos and adds more output to the rebuild command. It also features a diff after a successful build. The command uses the `NH_FLAKE` environment variable to be able to run from whatever directory.
+
+Basic commands with a set `NH_FLAKE` variable are:
+
+```bash
+$ nh os switch
+$ nh os build
+$ nh os test
+$ nh clean all --keep 5
+```
+
+There is also the option to interface with home-manager by using `nh home switch` but this isn't necessary since home-manager is imported as a module in this config.

README.md

@@ -1,133 +1,30 @@
-# 0x29a nixos config
+# NixOS config
 
-My personal nixos configuration files for different environments.
+My personal NixOS configurations.
 
-## basic system installation
+## config structure
-
-- The installations presented in this repository are always luks encrypted
-- For simplicity I'm using device labels rather than uuids
-
-1. the partitioning layout should look somewhat like this after the installation
 
 ```bash
-NAME               MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
+.
-nvme0n1            259:0    0 476.9G  0 disk
+├── flake.lock
-├─nvme0n1p1        259:1    0     2G  0 part  /boot
+├── flake.nix # flake definition
-└─nvme0n1p2        259:2    0 474.9G  0 part
+├── hosts
-  └─cryptroot      254:0    0 474.9G  0 crypt
+│   └── neon
-    ├─lvmroot-swap 254:1    0    20G  0 lvm   [SWAP]
+│       ├── configuration.nix # import nix-modules for specific host
-    ├─lvmroot-home 254:2    0   250G  0 lvm   /home
+│       └── hardware-configuration.nix # hardware configs for specific host
-    └─lvmroot-root 254:3    0 204.9G  0 lvm   /nix/store
+├── modules
+│   ├── home-manager
+│   │   ├── xyz_module.nix
+│   └── nixos
+│       └── xyz_module.nix
+└── users
+    └── aaron
+        └── home.nix # import home-manager modules for specific user
 ```
 
-2. prepare the installation
+## installation
 
-```bash
+For more details about the installation procedure see: [INSTALLATION.md](INSTALLATION.md)
-# format the boot partition
-mkfs.fat -F 32 /dev/sda1 -n "nixboot"
-# create an encrypted partition
-cryptsetup luksFormat -y --label="nixcrypt" /dev/sda2
-# open the encrypted partition and map it to /dev/mapper/cryptroot
-cryptsetup luksOpen /dev/sda2 cryptroot
-
-# create the physical volume
-pvcreate /dev/mapper/cryptroot
-# create a volume group inside
-vgcreate lvmroot /dev/mapper/cryptroot
-# create the swap volume
-lvcreate --size 8G lvmroot --name nwap
-# if you desire, create a home volume
-lvcreate --size 150G lvmroot --name home
-# create the root volume
-lvcreate -l 100%FREE lvmroot --name root
-
-# format as usual for root partition
-mkfs.ext4 -L "nixroot" /dev/mapper/lvmroot-root
-# if you previously made the home partition, do it too
-mkfs.ext4 -L "nixhome" /dev/mapper/lvmroot-home
-# format the swap partition
-mkswap -L "nixswap" /dev/mapper/lvmroot-swap
-
-# mount root
-mount /dev/disk/by-label/nixroot /mnt
-# mount boot
-mount --mkdir /dev/sda1 /mnt/boot
-# again, if you did the home volume
-mount --mkdir /dev/disk/by-label/nixhome /mnt/home
-# turn on swap
-swapon /dev/disk/by-label/nixswap
-```
-
-3. prepare nixos
-
-
-```bash
-# generate templates and update the hardware-configuration.nix
-sudo nixos-generate-config --root /mnt
-
-# add cryptd to the kernelModules
-boot.initrd.kernelModules = [ "dm-snapshot" "cryptd" ];
-
-# add file systems using labels
-fileSystems."/" =
-  { device = "/dev/disk/by-label/nixroot";
-    fsType = "ext4";
-  };
-fileSystems."/boot" =
-  { device = "/dev/disk/by-label/nixboot";
-    fsType = "vfat";
-    options = [ "fmask=0022" "dmask=0022" ];
-  };
-fileSystems."/home" =
-  { device = "/dev/disk/by-label/nixhome";
-    fsType = "ext4";
-  };
-swapDevices =
-  [ { device = "/dev/disk/by-label/nixswap"; }
-  ];
-
-# point the bootloader to the luks device
-boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-label/nixcrypt";
-```
-
-4. install nixos
-
-```bash
-cd /mnt
-sudo nixos-install
-```
-
-## how to deploy the inital config
-
-- Don't forget to install the bootloader, if you changed it since `nixos-install`
-
-```bash
-$ sudo nixos-rebuild --install-bootloader switch --flake .#host_name
-```
-
-## how to upgrade the system
-
-```bash
-$ cd /path/to/repo
-$ sudo nix flake update
-$ sudo nixos-rebuild switch --flake .#host_name
-$ sudo nix-collect-garbage
-```
-
-## how to use nix-helper
-
-The tool nix-helper is installed by this configuration. It simplifies administrating nixos and adds more output to the rebuild command. It also features a diff after a successful build. The command uses the `NH_FLAKE` environment variable to be able to run from whatever directory.
-
-Basic commands with a set `NH_FLAKE` variable are:
-
-```bash
-$ nh os switch
-$ nh os build
-$ nh os test
-$ nh clean all --keep 5
-```
-
-There is also the option to interface with home-manager by using `nh home switch`but this isn't necessary since home-manager is imported as a module in this config.
 
 ## author
 

flake.lock

@@ -8,11 +8,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1765835352,
+        "lastModified": 1769996383,
-        "narHash": "sha256-XswHlK/Qtjasvhd1nOa1e8MgZ8GS//jBoTqWtrS1Giw=",
+        "narHash": "sha256-AnYjnFWgS49RlqX7LrC4uA+sCCDBj0Ry/WOJ5XWAsa0=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "a34fae9c08a15ad73f295041fec82323541400a9",
+        "rev": "57928607ea566b5db3ad13af0e57e921e6b12381",
         "type": "github"
       },
       "original": {
@@ -28,11 +28,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1769187349,
+        "lastModified": 1771519029,
-        "narHash": "sha256-clG+nT6I2qxjIgk5WoSDKJyNhzKJs9jzbCujPF2S/yg=",
+        "narHash": "sha256-H59Qf82wv5kBXVoyXsmUKW+9J3o8FqgY4uKaLdsLdLg=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "082a4cd87c6089d1d9c58ebe52655f9e07245fcb",
+        "rev": "167e0b6837115e672ec5f58e2b0ea39093abe807",
         "type": "github"
       },
       "original": {
@@ -43,11 +43,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1769018530,
+        "lastModified": 1771369470,
-        "narHash": "sha256-MJ27Cy2NtBEV5tsK+YraYr2g851f3Fl1LpNHDzDX15c=",
+        "narHash": "sha256-0NBlEBKkN3lufyvFegY4TYv5mCNHbi5OmBDrzihbBMQ=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "88d3861acdd3d2f0e361767018218e51810df8a1",
+        "rev": "0182a361324364ae3f436a63005877674cf45efb",
         "type": "github"
       },
       "original": {
@@ -66,11 +66,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1768910181,
+        "lastModified": 1771135771,
-        "narHash": "sha256-YRU0IHMzXluZxr0JDfq9jtblb4DV7MIB5wj2jYMFKQc=",
+        "narHash": "sha256-wyvBIhDuyCRyjB3yPg77qoyxrlgQtBR1rVW3c9knV3E=",
         "owner": "nix-community",
         "repo": "nixvim",
-        "rev": "5b138edcb2f1c3ed4b29eca3658f04f0639b98b3",
+        "rev": "ed0424f0b08d303a7348f52f7850ad1b2704f9ba",
         "type": "github"
       },
       "original": {
@@ -86,11 +86,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1769192065,
+        "lastModified": 1771513929,
-        "narHash": "sha256-8RXIQ8gGxB7lmQOJuhhq3UiGhO3zzKiPaDRigR4Fu9Y=",
+        "narHash": "sha256-dPeHevAT1Cb2w/Wrfz/d5i6RfO8bvbGl/KrTPxU2l3w=",
         "owner": "noctalia-dev",
         "repo": "noctalia-shell",
-        "rev": "9bd9d3cfc9c7b80eabd933ed8033e9f9d1021953",
+        "rev": "9c47ce03f200e0b8fc515d973440d5bc3e359785",
         "type": "github"
       },
       "original": {

modules/nixos/openssh.nix

@@ -5,5 +5,15 @@
   services.openssh = {
     enable = true;
     openFirewall = true;
+    ports = [ 666 ];
+
+    settings = {
+      AuthenticationMethods = "publickey";
+      KbdInteractiveAuthentication = false;
+      MaxAuthTries = 5;
+      PasswordAuthentication = false;
+      PermitRootLogin = "no";
+      X11Forwarding = false;
+    };
   };
 }