diff options
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/auth.nix | 35 |
1 files changed, 33 insertions, 2 deletions
diff --git a/sys/auth.nix b/sys/auth.nix index e85543e..e9723a7 100644 --- a/sys/auth.nix +++ b/sys/auth.nix @@ -1,4 +1,4 @@ -{ lib, config, ... }: +{ config, lib, pkgs, ... }: with lib; let cfg = config.local; in @@ -18,10 +18,11 @@ in enable = true; openFirewall = false; ports = [ 2234 ]; + startWhenNeeded = true; forwardX11 = true; permitRootLogin = "no"; - passwordAuthentication = false; + passwordAuthentication = true; # Necesario para oath, no reemplaza a oath hostKeys = [ { @@ -39,8 +40,38 @@ in type = "ecdsa"; } ]; + + extraConfig = '' + # User 'tunnel' has no password. Use PAM OATH + # and connect with -N, forward with -R. + Match User tunnel + AllowTcpForwarding remote + AllowStreamLocalForwarding no + X11Forwarding no + PermitTunnel no + GatewayPorts no + AllowAgentForwarding no + PermitOpen none + PermitListen 60220 60221 60222 60223 60224 60225 60226 60227 60228 60229 + + Banner ${pkgs.writeText "tunnel-banner" '' + This is a reverse tunnel + ''} + ''; }; networking.firewall.allowedTCPPorts = [ 2234 ]; + + users.users.tunnel = { + uid = 1100; + group = "nogroup"; + isSystemUser = true; + + # Requiere oath + password = "tunnel"; + + home = "/var/empty"; + shell = "${pkgs.coreutils}/bin/true"; + }; }; } |