ssh: hardenHEADmaster

2 files changed, 18 insertions, 22 deletions

diff --git a/config/services/git/default.nix b/config/services/git/default.nix
index 5c6d629..65663c1 100644
--- a/config/services/git/default.nix
+++ b/config/services/git/default.nix
@@ -16,15 +16,4 @@
   };
 
   users.groups.git = { };
-
-  services.openssh = {
-    extraConfig = ''
-      Match user git
-        AllowTcpForwarding no
-        AllowAgentForwarding no
-        PasswordAuthentication no
-        PermitTTY no
-        X11Forwarding no
-    '';
-  };
 }
diff --git a/config/users.nix b/config/users.nix
index 2f152a8..0f86058 100644
--- a/config/users.nix
+++ b/config/users.nix
@@ -2,25 +2,32 @@
   lib,
   pkgs,
   ...
-}: let
+}:
+let
   remoteBuildingUsers = {
     hermes = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGstvYymapGvkjvKbFqkMZtE9ft9uEM13n8q798HtOT+ root@hermes";
     kerberos = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEgohiYF2Dsaq6ImGaslnKJMwpiVtwAaM9cm1tpSRr7t root@kerberos";
   };
-in {
+in
+{
   personal.user.enable = true;
-  users.users =
-    builtins.mapAttrs (_: key: {
-      isNormalUser = true;
-      shell = pkgs.busybox-sandbox-shell;
-      openssh.authorizedKeys.keys = [key];
-      homeMode = "700";
-    })
-    remoteBuildingUsers;
+  users.users = builtins.mapAttrs (_: key: {
+    isNormalUser = true;
+    shell = pkgs.busybox-sandbox-shell;
+    openssh.authorizedKeys.keys = [ key ];
+    homeMode = "700";
+  }) remoteBuildingUsers;
+
+  services.openssh.extraConfig = lib.concatLines (
+    lib.mapAttrsToList (name: _: ''
+      Match user ${name}
+        PermitTTY yes
+    '') remoteBuildingUsers
+  );
 
   # broken (doesn't do anything)
   system.userActivationScripts.remoteBuildingSetup = ''
-    if [[ $(whoami) = @(${lib.concatStringsSep "|" (builtins.attrNames remoteBuildingUsers)}) ]]
+    if [[ $(whoami) = @(${builtins.concatStringsSep "|" (builtins.attrNames remoteBuildingUsers)}) ]]
     then
       mkdir --parents --mode=700 nixos-configuration
       git init --bare nixos-configuration