sys: final merge of dmz, hv into sys

1 files changed, 0 insertions, 82 deletions

diff --git a/sys/auth.nix b/sys/auth.nix
deleted file mode 100644
index 835f836..0000000
--- a/sys/auth.nix
+++ /dev/null
@@ -1,82 +0,0 @@
-{ config, lib, pkgs, ... }:
-with lib; let
-  cfg = config.local;
-in
-{
-  config = {
-    security.pam = {
-      oath = {
-        usersFile = "/var/trust/auth/users.oath";
-        digits = 6;
-        window = 30;
-      };
-
-      services.sshd.oathAuth = true;
-    };
-
-    services.openssh = {
-      enable = true;
-      openFirewall = false;
-      ports = [ 2234 ];
-      startWhenNeeded = true;
-
-      hostKeys = [
-        {
-          bits = 4096;
-          path = "/etc/ssh/ssh_host_rsa_key";
-          type = "rsa";
-        }
-        {
-          path = "/etc/ssh/ssh_host_ed25519_key";
-          type = "ed25519";
-        }
-        #TODO: Desfasar, inseguro
-        {
-          path = "/etc/ssh/ssh_host_ecdsa_key";
-          type = "ecdsa";
-        }
-      ];
-
-      settings = {
-        X11Forwarding = true;
-        PermitRootLogin = "no";
-        PasswordAuthentication = true; # Necesario para oath, no reemplaza a oath
-      };
-
-      extraConfig = ''
-        # User 'tunnel' has no password. Use PAM OATH
-        # and connect with -N, forward with -R.
-        Match User tunnel
-           AllowTcpForwarding remote
-           AllowStreamLocalForwarding no
-           X11Forwarding no
-           PermitTunnel no
-           GatewayPorts no
-           AllowAgentForwarding no
-           PermitOpen none
-           PermitListen 60220 60221 60222 60223 60224 60225 60226 60227 60228 60229
-
-           Banner ${pkgs.writeText "tunnel-banner" ''
-             This is a reverse tunnel
-           ''}
-      '';
-    };
-
-    services.pcscd.enable = true;
-    services.udev.packages = [ pkgs.yubikey-personalization ];
-
-    networking.firewall.allowedTCPPorts = [ 2234 ];
-
-    users.users.tunnel = {
-      uid = 1100;
-      group = "nogroup";
-      isSystemUser = true;
-
-      # Requiere oath
-      password = "tunnel";
-
-      home = "/var/empty";
-      shell = "${pkgs.coreutils}/bin/true";
-    };
-  };
-}