jasmine
8874c88fbc
Fixes backup system authentication and hostname resolution issues. Changes: - Change PermitRootLogin from "no" to "prohibit-password" in global SSH config (allows key-based root login for host-to-host backups while blocking passwords) - Update fuchsia onsite backup to use viridian.home.arpa FQDN instead of shortname - Update SSH knownHosts to use FQDNs (fuchsia.home.arpa, viridian.home.arpa) (system-level config uses FQDNs, user shortcuts remain in home-manager) This enables the complete 3-2-1 backup strategy with automated backups working correctly between fuchsia and viridian, and fuchsia to BorgBase.
17 lines
601 B
Nix
17 lines
601 B
Nix
{...}: {
|
|
# Global SSH server configuration baseline
|
|
# Host-specific trust relationships are configured in each host's services/ssh/
|
|
|
|
services.openssh = {
|
|
enable = true;
|
|
|
|
settings = {
|
|
PermitRootLogin = "prohibit-password"; # Allow root login with keys only
|
|
PasswordAuthentication = false; # Require key-based authentication
|
|
LogLevel = "VERBOSE"; # Enhanced logging for security auditing
|
|
};
|
|
|
|
ports = [22]; # Standard SSH port
|
|
openFirewall = true; # Allow SSH through firewall
|
|
};
|
|
}
|