Skip to content

Instantly share code, notes, and snippets.

@dtomvan

dtomvan/default.nix

Created May 5, 2026 18:38
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save dtomvan/e90f8597ec85e8be98d2878fb6882136 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save dtomvan/e90f8597ec85e8be98d2878fb6882136 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
default.nix
{
pkgs ? import <nixpkgs> { },
name ? "ssh-server-audit",
...
}:
pkgs.testers.runNixOSTest (
{ pkgs, lib, ... }:
{
inherit name;
nodes.machine = {
systemd.user.tmpfiles.enable = false;
services = {
fstrim.enable = false;
udev.enable = false;
};
security.pam.sshAgentAuth.enable = true;
services.openssh = {
enable = true;
settings = {
AllowGroups = [ "users" ];
KbdInteractiveAuthentication = false;
KexAlgorithms = [
"curve25519-sha256"
"curve25519-sha256@libssh.org"
"sntrup761x25519-sha512@openssh.com"
];
PasswordAuthentication = false;
PermitRootLogin = "no";
};
};
system.stateVersion = "26.11";
};
testScript = ''
start_all()
machine.wait_for_unit("sshd.service")
machine.succeed("${lib.getExe pkgs.ssh-audit} 127.0.0.1")
'';
}
)
Raw
flake.nix
{
inputs = {
nixpkgs-a.url = "github:nixos/nixpkgs/5312ce1bae2879cc2ff7a3e2851bf32918099079";
nixpkgs-b.url = "github:nixos/nixpkgs/5620d245adf03c58b74f803031ba2a85d204db31";
};
outputs =
inputs:
let
system = "x86_64-linux";
in
{
checks.${system} = {
should-succeed = import ./. {
name = "ssh-server-audit-should-succeed";
pkgs = import inputs.nixpkgs-a { inherit system; };
};
should-fail = import ./. {
name = "ssh-server-audit-should-fail";
pkgs = import inputs.nixpkgs-b { inherit system; };
};
};
};
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment