I’m using NixOS on some VPS and I try to harden these servers as much as possible. I had the Idea to expose the SSH interface only on one server and use this one as jump-host to the rest. The other servers would have a firewall rule to only allow incoming ssh traffic from the jump host.
I was able to secure the SSH interface (no passwords, 2fa with totp, norootlogin,…) but I also want the user on the jump host to be as unprivileged as possible.
Usually, any user can use nix-shell -p and can read a lot of directories. How can I strip this down to just the minimum?
You could limit access of users to connect to nix daemon by changing nix.settings.allowed-users so they won’t be able to add new paths. But it will not limit access to paths that are already in /nix/store.
Another Idea would maybe to not allow login at all and configure two ssh servers for this host. One which would be working as SSH Proxy using ProxyJump or ProxyCommand and the other which only listens to the other servers and/or 127.0.0.1 for administrative purposes. Has anyone experience with such a setup under nixos?