dannydannydanny/dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(sunken-ship): pwless ssh access 🔒

Browse source
This commit is contained in:
DannyDannyDanny 2026-03-08 12:05:25 +01:00
parent 1338fb1b68
commit 424ba82399
1 changed files with 13 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

15
nixos/hosts/sunken-ship.nix
View file

@ -42,10 +42,21 @@ in
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" "video" ]; # video: backlight control via light(1) extraGroups = [ "wheel" "video" ]; # video: backlight control via light(1)
# SSH keys: push via scp, don't commit. NixOS does not manage authorized_keys so scp'd keys persist. # SSH keys: push via scp, don't commit. NixOS does not manage authorized_keys so scp'd keys persist.
# Example: scp ~/.ssh/id_*_github.pub danny@server:/tmp/ then on server: mkdir -p ~/.ssh; cat /tmp/*.pub >> ~/.ssh/authorized_keys # Example: scp ~/.ssh/id_ed25519_sunken_ship.pub danny@server:/tmp/ then on server: mkdir -p ~/.ssh; cat /tmp/*.pub >> ~/.ssh/authorized_keys
}; };
services.openssh.enable = true; # Key-only auth; no password or keyboard-interactive.
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
# Optionally restrict to LAN: settings.ListenAddress = "10.0.0.1"; or similar.
};
# Passwordless sudo for wheel.
security.sudo.wheelNeedsPassword = false;
environment.systemPackages = [ pkgs.git ]; # for clone/bootstrap and timer environment.systemPackages = [ pkgs.git ]; # for clone/bootstrap and timer
# Pull dotfiles and rebuild if the repo has new commits. # Pull dotfiles and rebuild if the repo has new commits.