sshd
Enables secure remote access to the machine over SSH
The sshd Clan service manages SSH to make it easy to securely access your machines over the internet. The service uses vars to store the SSH host keys for each machine to ensure they remain stable across deployments.
sshd also generates SSH certificates for both servers and clients allowing for certificate-based authentication for SSH.
The service also disables password-based authentication over SSH, to access your machines you'll need to use public key authentication or certificate-based authentication.
Usage
{
inventory.instances = {
# By default this service only generates ed25519 host keys
sshd-basic = {
module = {
name = "sshd";
input = "clan-core";
};
roles.server.tags.all = { };
roles.client.tags.all = { };
};
# Also generate RSA host keys for all servers
sshd-with-rsa = {
module = {
name = "sshd";
input = "clan-core";
};
roles.server.tags.all = { };
roles.server.settings = {
hostKeys.rsa.enable = true;
};
roles.client.tags.all = { };
};
};
}
Roles
The sshd module has the following roles:
- client
- server
Options for the client role
certificate.searchDomains
List of domains to include in the certificate. This option will prepend the machine name in front of each domain before adding it to the certificate.
Type: list of string
Default:
Declared in: clanServices/sshd/default.nix
Options for the server role
certificate.searchDomains
List of domains to include in the certificate. This option will prepend the machine name in front of each domain before adding it to the certificate.
Type: list of string
Default:
Declared in: clanServices/sshd/default.nix
hostKeys.rsa.enable
Whether to enable Generate RSA host key.
Type: boolean
Default:
Declared in: clanServices/sshd/default.nix