diff options
Diffstat (limited to '')
| -rw-r--r-- | sys/auth/login.nix | 7 | ||||
| -rw-r--r-- | sys/auth/oath.nix | 10 | ||||
| -rw-r--r-- | sys/auth/openssh.nix | 146 |
3 files changed, 94 insertions, 69 deletions
diff --git a/sys/auth/login.nix b/sys/auth/login.nix index 5bc8f2e..f252c1c 100644 --- a/sys/auth/login.nix +++ b/sys/auth/login.nix @@ -1,4 +1,9 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: with lib; { # TODO config = mkIf true { diff --git a/sys/auth/oath.nix b/sys/auth/oath.nix index 7030bab..6b00680 100644 --- a/sys/auth/oath.nix +++ b/sys/auth/oath.nix @@ -1,8 +1,12 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: with lib; let cfg = config.local.auth.oath; -in -{ +in { options.local.auth.oath = { enable = lib.mkEnableOption "pam-oath"; }; diff --git a/sys/auth/openssh.nix b/sys/auth/openssh.nix index 07e6977..44fb49a 100644 --- a/sys/auth/openssh.nix +++ b/sys/auth/openssh.nix @@ -1,15 +1,22 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: with lib; let cfg = config.local.auth.openssh; withOath = config.local.auth.oath.enable; withPassword = config.local.auth.openssh.passwordAuthentication; - port = if cfg.shiftPortNumber then 2234 else 22; + port = + if cfg.shiftPortNumber + then 2234 + else 22; restrict = cfg.restrictListen; exemptList = optionals config.local.net.fail2ban.enable config.services.fail2ban.ignoreIP; -in -{ +in { options.local.auth.openssh = { enable = mkEnableOption "openssh"; tunnel.enable = mkEnableOption "ssh tunnel user"; @@ -23,28 +30,29 @@ in type = types.bool; default = false; }; - }) [ "ecdsa" "ed25519" "rsa" ]); + }) ["ecdsa" "ed25519" "rsa"]); restrictListen = mkOption { default = null; - type = with types; nullOr (submodule { - options = { - addresses = mkOption { - type = listOf str; + type = with types; + nullOr (submodule { + options = { + addresses = mkOption { + type = listOf str; + }; + + interface = mkOption { + type = nullOr str; + default = null; + }; + + vsockCid = mkOption { + type = nullOr ints.u32; + default = null; + }; }; - - interface = mkOption { - type = nullOr str; - default = null; - }; - - vsockCid = mkOption { - type = nullOr ints.u32; - default = null; - }; - }; - }); + }); }; passwordAuthentication = mkOption { @@ -70,7 +78,7 @@ in message = "SSH tunnel requires oath"; } { - assertion = restrict != null -> (restrict.vsockCid != null -> (restrict.interface == null && restrict.addresses == [ ])); + assertion = restrict != null -> (restrict.vsockCid != null -> (restrict.interface == null && restrict.addresses == [])); message = "SSH vsock restrict requires disabling inet"; } { @@ -88,11 +96,11 @@ in ]; local.boot.impermanence.files = - flatten (map (key: [ key.path "${key.path}.pub" ]) config.services.openssh.hostKeys); + flatten (map (key: [key.path "${key.path}.pub"]) config.services.openssh.hostKeys); networking.firewall = { interfaces = optionalAttrs (restrict != null && restrict.interface != null) { - ${restrict.interface}.allowedTCPPorts = [ port ]; + ${restrict.interface}.allowedTCPPorts = [port]; }; allowedTCPPorts = optional (restrict == null || restrict.interface == null) port; @@ -101,36 +109,41 @@ in services.openssh = { enable = true; - ports = optional (restrict != null -> restrict.addresses != [ ]) port; + ports = optional (restrict != null -> restrict.addresses != []) port; startWhenNeeded = mkDefault (!config.services.fail2ban.enable); - extraConfig = optionalString (exemptList != [ ]) '' - PerSourcePenaltyExemptList ${concatStringsSep "," exemptList} - '' + optionalString cfg.tunnel.enable '' - # User 'tunnel' has no password. Use PAM OATH - # and connect with -N, forward with -R. - Match User tunnel - AllowTcpForwarding remote - AllowStreamLocalForwarding no - X11Forwarding no - PermitTunnel no - GatewayPorts no - AllowAgentForwarding no - PermitOpen none - PermitListen 60220 60221 60222 60223 60224 60225 60226 60227 60228 60229 - - Banner ${pkgs.writeText "tunnel-banner" '' - This is a reverse tunnel - ''} - ''; - - hostKeys = map - (name: { - path = "/etc/ssh/ssh_host_${name}_key"; - type = name; - } // optionalAttrs (name == "rsa") { - bits = 4096; - }) + extraConfig = + optionalString (exemptList != []) '' + PerSourcePenaltyExemptList ${concatStringsSep "," exemptList} + '' + + optionalString cfg.tunnel.enable '' + # User 'tunnel' has no password. Use PAM OATH + # and connect with -N, forward with -R. + Match User tunnel + AllowTcpForwarding remote + AllowStreamLocalForwarding no + X11Forwarding no + PermitTunnel no + GatewayPorts no + AllowAgentForwarding no + PermitOpen none + PermitListen 60220 60221 60222 60223 60224 60225 60226 60227 60228 60229 + + Banner ${pkgs.writeText "tunnel-banner" '' + This is a reverse tunnel + ''} + ''; + + hostKeys = + map + (name: + { + path = "/etc/ssh/ssh_host_${name}_key"; + type = name; + } + // optionalAttrs (name == "rsa") { + bits = 4096; + }) (attrNames (filterAttrs (name: enable: enable) cfg.hostKeys)); settings = { @@ -139,26 +152,29 @@ in PasswordAuthentication = withOath || withPassword; # Necesario para oath, no reemplaza a oath }; - listenAddresses = mkIf (restrict != null) - (map (addr: { inherit addr; }) restrict.addresses); + listenAddresses = + mkIf (restrict != null) + (map (addr: {inherit addr;}) restrict.addresses); }; systemd.sockets = mkIf (restrict != null && restrict.vsockCid != null) { - sshd = - let - kernelMod = "modprobe@${if restrict.vsockCid == 2 then "vhost_" else ""}vsock.service"; - in - { - after = [ kernelMod ]; - wants = [ kernelMod ]; - - socketConfig.ListenStream = mkForce [ "vsock:${toString restrict.vsockCid}:${toString port}" ]; - }; + sshd = let + kernelMod = "modprobe@${ + if restrict.vsockCid == 2 + then "vhost_" + else "" + }vsock.service"; + in { + after = [kernelMod]; + wants = [kernelMod]; + + socketConfig.ListenStream = mkForce ["vsock:${toString restrict.vsockCid}:${toString port}"]; + }; }; users.users = { root = mkIf cfg.withDeployKeys { - openssh.authorizedKeys.keyFiles = [ ./ssh-key.pub ]; + openssh.authorizedKeys.keyFiles = [./ssh-key.pub]; }; tunnel = mkIf cfg.tunnel.enable { |