diff options
| author | Alejandro Soto <alejandro@34project.org> | 2024-08-18 01:43:08 -0600 |
|---|---|---|
| committer | Alejandro Soto <alejandro@34project.org> | 2024-08-18 01:43:08 -0600 |
| commit | 1a8c52d5baf6b9245b5363f92db50f007bfb2cea (patch) | |
| tree | 6fd3cd7c7e659a32db0d748c8e6d6d54f2adb3bd /sys | |
| parent | 9fb3edb8332936a19eada649fbc0f6ab1de09ccf (diff) | |
sys/[lustrated]: implement FIDO2 auth over vsock
Diffstat (limited to '')
| -rw-r--r-- | sys/auth/openssh.nix | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/sys/auth/openssh.nix b/sys/auth/openssh.nix index c1c6c58..eaa28c2 100644 --- a/sys/auth/openssh.nix +++ b/sys/auth/openssh.nix @@ -69,6 +69,10 @@ in message = "SSH vsock restrict requires socket activation"; } { + assertion = restrict != null -> (restrict.vsockCid != null -> config.local.virt.enable); + message = "SSH vsock restrict requires nixvirt"; + } + { assertion = any (key: key) (attrValues cfg.hostKeys); message = "No OpenSSH host keys were enabled"; } @@ -126,7 +130,10 @@ in }; systemd.sockets = mkIf (restrict != null && restrict.vsockCid != null) { - sshd.socketConfig.ListenStream = mkForce [ "vsock:${toString restrict.vsockCid}:${toString port}" ]; + sshd = { + after = [ "nixvirt.service" ]; + socketConfig.ListenStream = mkForce [ "vsock:${toString restrict.vsockCid}:${toString port}" ]; + }; }; users.users = { |