fix: this pr is wrong place to harden ssh

samrose · samrose · commit d5e30592bc21 · 2026-03-13T10:12:39.000-04:00
diff --git a/nix/systemConfigs.nix b/nix/systemConfigs.nix
@@ -1,7 +1,7 @@
 { self, inputs, ... }:
 let
   mkModules = system: [
-    self.systemModules.ssh-config
+    self.systemModules.genesis
     ({
       nixpkgs.hostPlatform = system;
     })
diff --git a/nix/systemModules/default.nix b/nix/systemModules/default.nix
@@ -5,14 +5,11 @@
   imports = [ ./tests ];
   flake = {
     systemModules = {
-      ssh-config = {
-        environment.etc."ssh/sshd_config.d/local.conf" = {
-          text = ''
-            Match Address 127.0.0.1,::1
-              ForceCommand /bin/false
-              DisableForwarding yes
-              PermitTunnel no
-          '';
+      genesis = {
+        #this file is just a placeholder to bootstrap 
+        #the system manager, it will be replaced by real configurations
+        environment.etc."system-manager-genesis" = {
+          text = "";
           user = "root";
           group = "root";
           mode = "0644";
diff --git a/nix/systemModules/tests/default.nix b/nix/systemModules/tests/default.nix
@@ -24,12 +24,11 @@
               machine.activate()
               machine.wait_for_unit("system-manager.target")
 
-              with subtest("Verify ssh config"):
-                  assert machine.file("/etc/ssh/sshd_config.d/local.conf").exists, "/etc/ssh/sshd_config.d/local.conf should exist"
-                  assert machine.file("/etc/ssh/sshd_config.d/local.conf").mode == 0o644, "/etc/ssh/sshd_config.d/local.conf should have mode 0644"
-                  assert machine.file("/etc/ssh/sshd_config.d/local.conf").user == "root", "/etc/ssh/sshd_config.d/local.conf should be owned by root"
-                  assert machine.file("/etc/ssh/sshd_config.d/local.conf").group == "root", "/etc/ssh/sshd_config.d/local.conf should be owned by root"
-                  assert machine.file("/etc/ssh/sshd_config.d/local.conf").contains("Match Address"), "/etc/ssh/sshd_config.d/local.conf should contain 'Match Address'"
+              with subtest("Verify genesis file"):
+                  assert machine.file("/etc/system-manager-genesis").exists, "/etc/system-manager-genesis should exist"
+                  assert machine.file("/etc/system-manager-genesis").mode == 0o644, "/etc/system-manager-genesis should have mode 0644"
+                  assert machine.file("/etc/system-manager-genesis").user == "root", "/etc/system-manager-genesis should be owned by root"
+                  assert machine.file("/etc/system-manager-genesis").group == "root", "/etc/system-manager-genesis should be owned by root"
             '';
           };
       };
