refactor(nix/host/orion): disable openssh service

2024-06-04 02:45:31 -05:00 · 2024-06-04 02:45:31 -05:00 · 2737b13d17
commit 2737b13d17
parent eefa0a112c
2 changed files with 6 additions and 62 deletions
--- a/hosts/orion/modules/agenix.nix
+++ b/hosts/orion/modules/agenix.nix
@ -0,0 +1,6 @@
+{ config, ... }:
+{
+  age.identityPaths = [
+    (config.environment.persistence.ephemeral.persistentStoragePath + "/ssh_host_ed25519_key")
+  ];
+}
--- a/hosts/orion/modules/services/openssh.nix
+++ b/hosts/orion/modules/services/openssh.nix
@ -1,62 +0,0 @@
-{ config, ... }:
-{
-  services.openssh = {
-    enable = true;
-    startWhenNeeded = true;
-    # We set the hostkeys manually so they persist through reboots
-    hostKeys = [
-      {
-        path = (
-          config.environment.persistence.ephemeral.persistentStoragePath + "/etc/ssh/ssh_host_ed25519_key"
-        );
-        type = "ed25519";
-      }
-    ];
-    sftpFlags = [
-      "-f AUTHPRIV"
-      "-l INFO"
-    ];
-    extraConfig = ''
-      AllowUsers price
-    '';
-    settings = {
-      PasswordAuthentication = false;
-      PermitRootLogin = "no";
-      GatewayPorts = "yes";
-      LogLevel = "VERBOSE";
-      KexAlgorithms = [
-        "curve25519-sha256"
-        "curve25519-sha256@libssh.org"
-        "diffie-hellman-group-exchange-sha256"
-      ];
-      Ciphers = [
-        "chacha20-poly1305@openssh.com"
-        "aes256-gcm@openssh.com"
-        "aes128-gcm@openssh.com"
-        "aes256-ctr"
-        "aes192-ctr"
-        "aes128-ctr"
-      ];
-      Macs = [
-        "hmac-sha2-512-etm@openssh.com"
-        "hmac-sha2-256-etm@openssh.com"
-        "umac-128-etm@openssh.com"
-      ];
-    };
-    ports = [ 2200 ];
-    banner = ''
-      ┌────────────────────────────────────────────────────┐
-      │        Orion Technologies - Security Notice        │
-      │        ┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄        │
-      │  UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED  │
-      │                                                    │
-      │     You must have written, explicit, authorized    │
-      │   permission to access or configure this device.   │
-      │ Unauthorized attempts and actions to access or use │
-      │   this system may result in civil and/or criminal  │
-      │ penalties. All activities performed on this device │
-      │              are logged and monitored.             │
-      └────────────────────────────────────────────────────┘
-    '';
-  };
-}