sys/auth: move out of sys/default.nix

author: Alejandro Soto <alejandro@34project.org> 2022-08-08 04:05:05 -0600
committer: Alejandro Soto <alejandro@34project.org> 2022-08-08 04:05:05 -0600
commit: 48d2ef9f8bc681e73380f89872fa55a0a86e9161 (patch)
tree: eed5bc89156cc68d13bc902f1f86f18611a435bc /sys/auth.nix
parent: 6898012a82e98e6c0201b7c25af845302cecdb4e (diff)
1 files changed, 45 insertions, 0 deletions
diff --git a/sys/auth.nix b/sys/auth.nix
new file mode 100644
index 0000000..e6e156d
--- /dev/null
+++ b/sys/auth.nix
@@ -0,0 +1,45 @@
+{ lib, config, ... }:
+with lib; let
+  cfg = config.local;
+in {
+  config = {
+    security.pam = {
+      oath = {
+        usersFile = "/var/trust/auth/users.oath";
+        digits = 6;
+        window = 30;
+      };
+
+      services.sshd.oathAuth = true;
+    };
+
+    services.openssh = {
+      enable = true;
+      openFirewall = false;
+      ports = [ 2234 ];
+
+      forwardX11 = true;
+      permitRootLogin = "no";
+      passwordAuthentication = false;
+
+      hostKeys = [
+        {
+          bits = 4096;
+          path = "/etc/ssh/ssh_host_rsa_key";
+          type = "rsa";
+        }
+        {
+          path = "/etc/ssh/ssh_host_ed25519_key";
+          type = "ed25519";
+        }
+        #TODO: Desfasar, inseguro
+        {
+          path = "/etc/ssh/ssh_host_ecdsa_key";
+          type = "ecdsa";
+        }
+      ];
+    };
+
+    networking.firewall.allowedTCPPorts = [ 2234 ];
+  };
+}
author	Alejandro Soto <alejandro@34project.org>	2022-08-08 04:05:05 -0600
committer	Alejandro Soto <alejandro@34project.org>	2022-08-08 04:05:05 -0600
commit	48d2ef9f8bc681e73380f89872fa55a0a86e9161 (patch)
tree	eed5bc89156cc68d13bc902f1f86f18611a435bc /sys/auth.nix
parent	6898012a82e98e6c0201b7c25af845302cecdb4e (diff)