sys: final merge of dmz, hv into sys

4 files changed, 126 insertions, 82 deletions

diff --git a/sys/auth.nix b/sys/auth.nix
deleted file mode 100644
index 835f836..0000000
--- a/sys/auth.nix
+++ /dev/null
@@ -1,82 +0,0 @@
-{ config, lib, pkgs, ... }:
-with lib; let
-  cfg = config.local;
-in
-{
-  config = {
-    security.pam = {
-      oath = {
-        usersFile = "/var/trust/auth/users.oath";
-        digits = 6;
-        window = 30;
-      };
-
-      services.sshd.oathAuth = true;
-    };
-
-    services.openssh = {
-      enable = true;
-      openFirewall = false;
-      ports = [ 2234 ];
-      startWhenNeeded = true;
-
-      hostKeys = [
-        {
-          bits = 4096;
-          path = "/etc/ssh/ssh_host_rsa_key";
-          type = "rsa";
-        }
-        {
-          path = "/etc/ssh/ssh_host_ed25519_key";
-          type = "ed25519";
-        }
-        #TODO: Desfasar, inseguro
-        {
-          path = "/etc/ssh/ssh_host_ecdsa_key";
-          type = "ecdsa";
-        }
-      ];
-
-      settings = {
-        X11Forwarding = true;
-        PermitRootLogin = "no";
-        PasswordAuthentication = true; # Necesario para oath, no reemplaza a oath
-      };
-
-      extraConfig = ''
-        # User 'tunnel' has no password. Use PAM OATH
-        # and connect with -N, forward with -R.
-        Match User tunnel
-           AllowTcpForwarding remote
-           AllowStreamLocalForwarding no
-           X11Forwarding no
-           PermitTunnel no
-           GatewayPorts no
-           AllowAgentForwarding no
-           PermitOpen none
-           PermitListen 60220 60221 60222 60223 60224 60225 60226 60227 60228 60229
-
-           Banner ${pkgs.writeText "tunnel-banner" ''
-             This is a reverse tunnel
-           ''}
-      '';
-    };
-
-    services.pcscd.enable = true;
-    services.udev.packages = [ pkgs.yubikey-personalization ];
-
-    networking.firewall.allowedTCPPorts = [ 2234 ];
-
-    users.users.tunnel = {
-      uid = 1100;
-      group = "nogroup";
-      isSystemUser = true;
-
-      # Requiere oath
-      password = "tunnel";
-
-      home = "/var/empty";
-      shell = "${pkgs.coreutils}/bin/true";
-    };
-  };
-}
diff --git a/sys/auth/default.nix b/sys/auth/default.nix
new file mode 100644
index 0000000..4678da9
--- /dev/null
+++ b/sys/auth/default.nix
@@ -0,0 +1,6 @@
+{
+  imports = [
+    ./oath.nix
+    ./openssh.nix
+  ];
+}
diff --git a/sys/auth/oath.nix b/sys/auth/oath.nix
new file mode 100644
index 0000000..7030bab
--- /dev/null
+++ b/sys/auth/oath.nix
@@ -0,0 +1,34 @@
+{ config, lib, pkgs, ... }:
+with lib; let
+  cfg = config.local.auth.oath;
+in
+{
+  options.local.auth.oath = {
+    enable = lib.mkEnableOption "pam-oath";
+  };
+
+  config = lib.mkIf cfg.enable {
+    security.pam = {
+      oath = {
+        digits = 6;
+        window = 30;
+
+        usersFile = "/var/trust/auth/users.oath";
+      };
+
+      services.sshd.oathAuth = true;
+    };
+
+    users.users.tunnel = {
+      uid = 1100;
+      group = "nogroup";
+      isSystemUser = true;
+
+      # Requiere oath
+      password = "tunnel";
+
+      home = "/var/empty";
+      shell = "${pkgs.coreutils}/bin/true";
+    };
+  };
+}
diff --git a/sys/auth/openssh.nix b/sys/auth/openssh.nix
new file mode 100644
index 0000000..2030682
--- /dev/null
+++ b/sys/auth/openssh.nix
@@ -0,0 +1,86 @@
+{ config, lib, pkgs, ... }:
+with lib; let
+  cfg = config.local.auth.openssh;
+  withOath = config.local.auth.oath.enable;
+in
+{
+  options.local.auth.openssh = {
+    enable = mkEnableOption "openssh";
+    tunnel.enable = mkEnableOption "ssh tunnel user";
+
+    #TODO: Desfasar ecdsa, inseguro
+    hostKeys = listToAttrs (map
+      (name: {
+        inherit name;
+
+        value = mkOption {
+          type = types.bool;
+          default = false;
+        };
+      }) [ "ecdsa" "ed25519" "rsa" ]);
+  };
+
+  config = lib.mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = cfg.tunnel.enable -> withOath;
+        message = "SSH tunnel requires oath";
+      }
+    ];
+
+    local.boot.impermanence.files =
+      flatten (map (key: [ key.path "${key.path}.pub" ]) config.services.openssh.hostKeys);
+
+    services.openssh = {
+      enable = true;
+      openFirewall = true;
+      ports = [ 2234 ];
+      startWhenNeeded = true;
+
+      hostKeys = map
+        (name: {
+          path = "/etc/ssh/ssh_host_${name}_key";
+          type = name;
+        } // optionalAttrs (name == "rsa") {
+          bits = 4096;
+        })
+        (attrNames (filterAttrs (name: enable: enable) cfg.hostKeys));
+
+      settings = {
+        X11Forwarding = true;
+        PermitRootLogin = "prohibit-password";
+        PasswordAuthentication = withOath; # Necesario para oath, no reemplaza a oath
+      };
+
+      extraConfig = optionalString cfg.tunnel.enable ''
+        # User 'tunnel' has no password. Use PAM OATH
+        # and connect with -N, forward with -R.
+        Match User tunnel
+           AllowTcpForwarding remote
+           AllowStreamLocalForwarding no
+           X11Forwarding no
+           PermitTunnel no
+           GatewayPorts no
+           AllowAgentForwarding no
+           PermitOpen none
+           PermitListen 60220 60221 60222 60223 60224 60225 60226 60227 60228 60229
+
+           Banner ${pkgs.writeText "tunnel-banner" ''
+             This is a reverse tunnel
+           ''}
+      '';
+    };
+
+    users.users.tunnel = mkIf cfg.tunnel.enable {
+      uid = 1100;
+      group = "nogroup";
+      isSystemUser = true;
+
+      # Requiere oath
+      password = "tunnel";
+
+      home = "/var/empty";
+      shell = "${pkgs.coreutils}/bin/true";
+    };
+  };
+}