diff options
| author | Alejandro Soto <alejandro@34project.org> | 2024-08-12 00:41:19 -0600 |
|---|---|---|
| committer | Alejandro Soto <alejandro@34project.org> | 2024-08-12 13:59:58 -0600 |
| commit | 107f24b24c390214c3944b29b49ba76de694d8cf (patch) | |
| tree | e166e85cc1a000e573d1e11bbfd6e3950d1d7a92 | |
| parent | 9a00ff99b469155b4e585228b9fbfb1e59d9fb57 (diff) | |
sys/[lustrated]: enable SSH over vsock
| -rw-r--r-- | sys/auth/openssh.nix | 38 |
1 files changed, 30 insertions, 8 deletions
diff --git a/sys/auth/openssh.nix b/sys/auth/openssh.nix index 248ccc7..c1c6c58 100644 --- a/sys/auth/openssh.nix +++ b/sys/auth/openssh.nix @@ -4,6 +4,7 @@ with lib; let withOath = config.local.auth.oath.enable; port = if cfg.shiftPortNumber then 2234 else 22; + restrict = cfg.restrictListen; in { options.local.auth.openssh = { @@ -31,7 +32,12 @@ in }; interface = mkOption { - type = str; + type = nullOr str; + }; + + vsockCid = mkOption { + type = nullOr ints.u32; + default = null; }; }; }); @@ -54,20 +60,32 @@ in assertion = cfg.tunnel.enable -> withOath; message = "SSH tunnel requires oath"; } + { + assertion = restrict != null -> (restrict.vsockCid != null -> (restrict.interface == null && restrict.addresses == [ ])); + message = "SSH vsock restrict requires disabling inet"; + } + { + assertion = restrict != null -> (restrict.vsockCid != null -> config.services.openssh.startWhenNeeded); + message = "SSH vsock restrict requires socket activation"; + } + { + assertion = any (key: key) (attrValues cfg.hostKeys); + message = "No OpenSSH host keys were enabled"; + } ]; local.boot.impermanence.files = flatten (map (key: [ key.path "${key.path}.pub" ]) config.services.openssh.hostKeys); - networking.firewall.interfaces = optionalAttrs (cfg.restrictListen != null) { - ${cfg.restrictListen.interface}.allowedTCPPorts = [ port ]; + networking.firewall.interfaces = optionalAttrs (restrict != null && restrict.interface != null) { + ${restrict.interface}.allowedTCPPorts = [ port ]; }; services.openssh = { enable = true; - ports = [ port ]; - openFirewall = cfg.restrictListen == null; + ports = optional (restrict != null -> restrict.addresses != [ ]) port; + openFirewall = restrict == null; startWhenNeeded = !config.services.fail2ban.enable; extraConfig = optionalString cfg.tunnel.enable '' @@ -98,13 +116,17 @@ in (attrNames (filterAttrs (name: enable: enable) cfg.hostKeys)); settings = { - X11Forwarding = true; + X11Forwarding = config.local.seat.enable && config.local.seat.graphical; PermitRootLogin = "prohibit-password"; PasswordAuthentication = withOath; # Necesario para oath, no reemplaza a oath }; - listenAddresses = mkIf (cfg.restrictListen != null) - (map (addr: { inherit addr; }) cfg.restrictListen.addresses); + listenAddresses = mkIf (restrict != null) + (map (addr: { inherit addr; }) restrict.addresses); + }; + + systemd.sockets = mkIf (restrict != null && restrict.vsockCid != null) { + sshd.socketConfig.ListenStream = mkForce [ "vsock:${toString restrict.vsockCid}:${toString port}" ]; }; users.users = { |