feature(ssh): add more security to the ssh config

INSTALLATION.md

@@ -4,6 +4,7 @@
 - For simplicity I'm using device labels rather than uuids
 
 1. the partitioning layout should look somewhat like this after the installation
+
 ```bash
 NAME               MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
 nvme0n1            259:0    0 476.9G  0 disk
@@ -12,26 +13,25 @@ nvme0n1            259:0    0 476.9G  0 disk
   └─cryptroot      254:0    0 474.9G  0 crypt
     ├─lvmroot-swap 254:1    0    20G  0 lvm   [SWAP]
     ├─lvmroot-home 254:2    0   250G  0 lvm   /home
-    └─lvmroot-root 254:3    0 204.9G  0 lvm   /
+    └─lvmroot-root 254:3    0 204.9G  0 lvm   /nix/store
 ``` 
 
-> Note: `lsblk` may additionally show `/nix/store` as a mountpoint on `lvmroot-root`. This is not a separate partition. NixOS mounts the root device a second time at `/nix/store` with `ro,nosuid,nodev` flags to enforce store immutability at runtime.
-
 2. prepare the installation
+
 ```bash
 # format the boot partition
-mkfs.fat -F 32 /dev/nvme0n1p1 -n "nixboot"
+mkfs.fat -F 32 /dev/sda1 -n "nixboot"
 # create an encrypted partition
-cryptsetup luksFormat -y --label="nixcrypt" /dev/nvme0n1p2
+cryptsetup luksFormat -y --label="nixcrypt" /dev/sda2
 # open the encrypted partition and map it to /dev/mapper/cryptroot
-cryptsetup luksOpen /dev/nvme0n1p2 cryptroot
+cryptsetup luksOpen /dev/sda2 cryptroot
 
 # create the physical volume
 pvcreate /dev/mapper/cryptroot
 # create a volume group inside
 vgcreate lvmroot /dev/mapper/cryptroot
 # create the swap volume
-lvcreate --size 8G lvmroot --name swap
+lvcreate --size 8G lvmroot --name nwap
 # if you desire, create a home volume
 lvcreate --size 150G lvmroot --name home
 # create the root volume
@@ -47,7 +47,7 @@ mkswap -L "nixswap" /dev/mapper/lvmroot-swap
 # mount root
 mount /dev/disk/by-label/nixroot /mnt
 # mount boot
-mount --mkdir /dev/nvme0n1p1 /mnt/boot
+mount --mkdir /dev/sda1 /mnt/boot
 # again, if you did the home volume
 mount --mkdir /dev/disk/by-label/nixhome /mnt/home
 # turn on swap
@@ -55,12 +55,13 @@ swapon /dev/disk/by-label/nixswap
 ```
 
 3. prepare nixos
+
 ```bash
 # generate templates and update the hardware-configuration.nix
-nixos-generate-config --root /mnt
+sudo nixos-generate-config --root /mnt
 
-# add dm-crypt and dm-mod to the kernelModules
-boot.initrd.kernelModules = [ "dm-crypt" "dm-mod" ];
+# add cryptd to the kernelModules
+boot.initrd.kernelModules = [ "dm-snapshot" "cryptd" ];
 
 # add file systems using labels
 fileSystems."/" =
@@ -85,20 +86,25 @@ boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-label/nixcrypt";
 ```
 
 4. install nixos
+
 ```bash
-nixos-install
+cd /mnt
+sudo nixos-install
 ```
 
-## how to deploy the initial config
+## how to deploy the inital config
+
 - Don't forget to install the bootloader, if you changed it since `nixos-install`
+
 ```bash
 $ sudo nixos-rebuild --install-bootloader switch --flake .#host_name
 ```
 
 ## how to upgrade the system
+
 ```bash
 $ cd /path/to/repo
-$ nix flake update
+$ sudo nix flake update
 $ sudo nixos-rebuild switch --flake .#host_name
 $ sudo nix-collect-garbage
 ```
@@ -108,6 +114,7 @@ $ sudo nix-collect-garbage
 The tool nix-helper is installed by this configuration. It simplifies administrating nixos and adds more output to the rebuild command. It also features a diff after a successful build. The command uses the `NH_FLAKE` environment variable to be able to run from whatever directory.
 
 Basic commands with a set `NH_FLAKE` variable are:
+
 ```bash
 $ nh os switch
 $ nh os build

modules/nixos/openssh.nix

@@ -5,5 +5,15 @@
   services.openssh = {
     enable = true;
     openFirewall = true;
+    ports = [ 666 ];
+
+    settings = {
+      AuthenticationMethods = "publickey";
+      KbdInteractiveAuthentication = false;
+      MaxAuthTries = 5;
+      PasswordAuthentication = false;
+      PermitRootLogin = "no";
+      X11Forwarding = false;
+    };
   };
 }