44 lines
1.2 KiB
Nix
44 lines
1.2 KiB
Nix
{
|
|
lib,
|
|
pkgs,
|
|
inputs,
|
|
namespace,
|
|
system,
|
|
target,
|
|
format,
|
|
virtual,
|
|
systems,
|
|
config,
|
|
...
|
|
}:
|
|
with lib;
|
|
with lib.${namespace}; let
|
|
cfg = config.${namespace}.security.users;
|
|
in {
|
|
options.${namespace}.security.users = with types; {
|
|
enable = mkBoolOpt true "Enable security measures for users, that include immutable users, disabled root access and ssh rules";
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
users = {
|
|
mutableUsers = false;
|
|
users = {
|
|
root = {
|
|
# disable root login here, and also when installing nix by running nixos-install --no-root-passwd
|
|
# https://discourse.nixos.org/t/how-to-disable-root-user-account-in-configuration-nix/13235/3
|
|
hashedPassword = "!"; # disable root logins, nothing hashes to !
|
|
};
|
|
};
|
|
};
|
|
# Enable the OpenSSH daemon.
|
|
services.openssh = {
|
|
enable = true;
|
|
# require public key authentication for better security
|
|
settings.PasswordAuthentication = false;
|
|
settings.KbdInteractiveAuthentication = false;
|
|
settings.PermitRootLogin = "no";
|
|
};
|
|
networking.firewall.allowedTCPPorts = [22];
|
|
networking.firewall.allowedUDPPorts = [22];
|
|
};
|
|
}
|