summaryrefslogtreecommitdiff
path: root/sys/auth/openssh.nix
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--sys/auth/openssh.nix146
1 files changed, 81 insertions, 65 deletions
diff --git a/sys/auth/openssh.nix b/sys/auth/openssh.nix
index 07e6977..44fb49a 100644
--- a/sys/auth/openssh.nix
+++ b/sys/auth/openssh.nix
@@ -1,15 +1,22 @@
-{ config, lib, pkgs, ... }:
+{
+ config,
+ lib,
+ pkgs,
+ ...
+}:
with lib; let
cfg = config.local.auth.openssh;
withOath = config.local.auth.oath.enable;
withPassword = config.local.auth.openssh.passwordAuthentication;
- port = if cfg.shiftPortNumber then 2234 else 22;
+ port =
+ if cfg.shiftPortNumber
+ then 2234
+ else 22;
restrict = cfg.restrictListen;
exemptList = optionals config.local.net.fail2ban.enable config.services.fail2ban.ignoreIP;
-in
-{
+in {
options.local.auth.openssh = {
enable = mkEnableOption "openssh";
tunnel.enable = mkEnableOption "ssh tunnel user";
@@ -23,28 +30,29 @@ in
type = types.bool;
default = false;
};
- }) [ "ecdsa" "ed25519" "rsa" ]);
+ }) ["ecdsa" "ed25519" "rsa"]);
restrictListen = mkOption {
default = null;
- type = with types; nullOr (submodule {
- options = {
- addresses = mkOption {
- type = listOf str;
+ type = with types;
+ nullOr (submodule {
+ options = {
+ addresses = mkOption {
+ type = listOf str;
+ };
+
+ interface = mkOption {
+ type = nullOr str;
+ default = null;
+ };
+
+ vsockCid = mkOption {
+ type = nullOr ints.u32;
+ default = null;
+ };
};
-
- interface = mkOption {
- type = nullOr str;
- default = null;
- };
-
- vsockCid = mkOption {
- type = nullOr ints.u32;
- default = null;
- };
- };
- });
+ });
};
passwordAuthentication = mkOption {
@@ -70,7 +78,7 @@ in
message = "SSH tunnel requires oath";
}
{
- assertion = restrict != null -> (restrict.vsockCid != null -> (restrict.interface == null && restrict.addresses == [ ]));
+ assertion = restrict != null -> (restrict.vsockCid != null -> (restrict.interface == null && restrict.addresses == []));
message = "SSH vsock restrict requires disabling inet";
}
{
@@ -88,11 +96,11 @@ in
];
local.boot.impermanence.files =
- flatten (map (key: [ key.path "${key.path}.pub" ]) config.services.openssh.hostKeys);
+ flatten (map (key: [key.path "${key.path}.pub"]) config.services.openssh.hostKeys);
networking.firewall = {
interfaces = optionalAttrs (restrict != null && restrict.interface != null) {
- ${restrict.interface}.allowedTCPPorts = [ port ];
+ ${restrict.interface}.allowedTCPPorts = [port];
};
allowedTCPPorts = optional (restrict == null || restrict.interface == null) port;
@@ -101,36 +109,41 @@ in
services.openssh = {
enable = true;
- ports = optional (restrict != null -> restrict.addresses != [ ]) port;
+ ports = optional (restrict != null -> restrict.addresses != []) port;
startWhenNeeded = mkDefault (!config.services.fail2ban.enable);
- extraConfig = optionalString (exemptList != [ ]) ''
- PerSourcePenaltyExemptList ${concatStringsSep "," exemptList}
- '' + optionalString cfg.tunnel.enable ''
- # User 'tunnel' has no password. Use PAM OATH
- # and connect with -N, forward with -R.
- Match User tunnel
- AllowTcpForwarding remote
- AllowStreamLocalForwarding no
- X11Forwarding no
- PermitTunnel no
- GatewayPorts no
- AllowAgentForwarding no
- PermitOpen none
- PermitListen 60220 60221 60222 60223 60224 60225 60226 60227 60228 60229
-
- Banner ${pkgs.writeText "tunnel-banner" ''
- This is a reverse tunnel
- ''}
- '';
-
- hostKeys = map
- (name: {
- path = "/etc/ssh/ssh_host_${name}_key";
- type = name;
- } // optionalAttrs (name == "rsa") {
- bits = 4096;
- })
+ extraConfig =
+ optionalString (exemptList != []) ''
+ PerSourcePenaltyExemptList ${concatStringsSep "," exemptList}
+ ''
+ + optionalString cfg.tunnel.enable ''
+ # User 'tunnel' has no password. Use PAM OATH
+ # and connect with -N, forward with -R.
+ Match User tunnel
+ AllowTcpForwarding remote
+ AllowStreamLocalForwarding no
+ X11Forwarding no
+ PermitTunnel no
+ GatewayPorts no
+ AllowAgentForwarding no
+ PermitOpen none
+ PermitListen 60220 60221 60222 60223 60224 60225 60226 60227 60228 60229
+
+ Banner ${pkgs.writeText "tunnel-banner" ''
+ This is a reverse tunnel
+ ''}
+ '';
+
+ hostKeys =
+ map
+ (name:
+ {
+ path = "/etc/ssh/ssh_host_${name}_key";
+ type = name;
+ }
+ // optionalAttrs (name == "rsa") {
+ bits = 4096;
+ })
(attrNames (filterAttrs (name: enable: enable) cfg.hostKeys));
settings = {
@@ -139,26 +152,29 @@ in
PasswordAuthentication = withOath || withPassword; # Necesario para oath, no reemplaza a oath
};
- listenAddresses = mkIf (restrict != null)
- (map (addr: { inherit addr; }) restrict.addresses);
+ listenAddresses =
+ mkIf (restrict != null)
+ (map (addr: {inherit addr;}) restrict.addresses);
};
systemd.sockets = mkIf (restrict != null && restrict.vsockCid != null) {
- sshd =
- let
- kernelMod = "modprobe@${if restrict.vsockCid == 2 then "vhost_" else ""}vsock.service";
- in
- {
- after = [ kernelMod ];
- wants = [ kernelMod ];
-
- socketConfig.ListenStream = mkForce [ "vsock:${toString restrict.vsockCid}:${toString port}" ];
- };
+ sshd = let
+ kernelMod = "modprobe@${
+ if restrict.vsockCid == 2
+ then "vhost_"
+ else ""
+ }vsock.service";
+ in {
+ after = [kernelMod];
+ wants = [kernelMod];
+
+ socketConfig.ListenStream = mkForce ["vsock:${toString restrict.vsockCid}:${toString port}"];
+ };
};
users.users = {
root = mkIf cfg.withDeployKeys {
- openssh.authorizedKeys.keyFiles = [ ./ssh-key.pub ];
+ openssh.authorizedKeys.keyFiles = [./ssh-key.pub];
};
tunnel = mkIf cfg.tunnel.enable {
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-10 11:31:46 +0000