jasmine/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

fix(ssh): enable key-based root login and use FQDNs for system services

Browse source 
Fixes backup system authentication and hostname resolution issues.

Changes:
- Change PermitRootLogin from "no" to "prohibit-password" in global SSH config
  (allows key-based root login for host-to-host backups while blocking passwords)
- Update fuchsia onsite backup to use viridian.home.arpa FQDN instead of shortname
- Update SSH knownHosts to use FQDNs (fuchsia.home.arpa, viridian.home.arpa)
  (system-level config uses FQDNs, user shortcuts remain in home-manager)

This enables the complete 3-2-1 backup strategy with automated backups working
correctly between fuchsia and viridian, and fuchsia to BorgBase.
This commit is contained in:
♥ Minnie ♥ 2025-10-07 23:11:31 +08:00
parent 6723c0e0b6
commit 8874c88fbc
Signed by: jasmine
GPG key ID: 8563E358D4E8040E
4 changed files with 12 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

2
nixos/common/global/ssh.nix
View file

@ -6,7 +6,7 @@
enable = true; enable = true;
settings = { settings = {
PermitRootLogin = "no"; # Disable root login for security PermitRootLogin = "prohibit-password"; # Allow root login with keys only
PasswordAuthentication = false; # Require key-based authentication PasswordAuthentication = false; # Require key-based authentication
LogLevel = "VERBOSE"; # Enhanced logging for security auditing LogLevel = "VERBOSE"; # Enhanced logging for security auditing
}; };

2
nixos/fuchsia/services/borgbackup/onsite.nix
View file

@ -58,7 +58,7 @@ in {
''; '';
# Onsite repository configuration (backup to viridian over SSH) # Onsite repository configuration (backup to viridian over SSH)
repo = "ssh://viridian/srv/borg-repo/${hostname}"; repo = "ssh://viridian.home.arpa/srv/borg-repo/${hostname}";
# No encryption for onsite backups (physical security assumed) # No encryption for onsite backups (physical security assumed)
encryption.mode = "none"; encryption.mode = "none";

6
nixos/fuchsia/services/ssh/default.nix
View file

@ -1,12 +1,12 @@
{inputs, ...}: { {inputs, ...}: {
# Trust viridian's host keys for SSH connections # Trust viridian's host keys for SSH connections (system-level, uses FQDN)
programs.ssh.knownHosts = { programs.ssh.knownHosts = {
"viridian-ed25519" = { "viridian-ed25519" = {
hostNames = ["viridian"]; hostNames = ["viridian.home.arpa"];
publicKeyFile = "${inputs.self}/nixos/viridian/ssh_host_ed25519_key.pub"; publicKeyFile = "${inputs.self}/nixos/viridian/ssh_host_ed25519_key.pub";
}; };
"viridian-rsa" = { "viridian-rsa" = {
hostNames = ["viridian"]; hostNames = ["viridian.home.arpa"];
publicKeyFile = "${inputs.self}/nixos/viridian/ssh_host_rsa_key.pub"; publicKeyFile = "${inputs.self}/nixos/viridian/ssh_host_rsa_key.pub";
}; };
}; };

6
nixos/viridian/services/ssh/default.nix
View file

@ -4,14 +4,14 @@
"${inputs.self}/nixos/fuchsia/ssh_host_ed25519_key.pub" "${inputs.self}/nixos/fuchsia/ssh_host_ed25519_key.pub"
); );
in { in {
# Trust fuchsia's host keys for SSH connections # Trust fuchsia's host keys for SSH connections (system-level, uses FQDN)
programs.ssh.knownHosts = { programs.ssh.knownHosts = {
"fuchsia-ed25519" = { "fuchsia-ed25519" = {
hostNames = ["fuchsia"]; hostNames = ["fuchsia.home.arpa"];
publicKeyFile = "${inputs.self}/nixos/fuchsia/ssh_host_ed25519_key.pub"; publicKeyFile = "${inputs.self}/nixos/fuchsia/ssh_host_ed25519_key.pub";
}; };
"fuchsia-rsa" = { "fuchsia-rsa" = {
hostNames = ["fuchsia"]; hostNames = ["fuchsia.home.arpa"];
publicKeyFile = "${inputs.self}/nixos/fuchsia/ssh_host_rsa_key.pub"; publicKeyFile = "${inputs.self}/nixos/fuchsia/ssh_host_rsa_key.pub";
}; };
}; };