diff options
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/auth.nix | 45 | ||||
| -rw-r--r-- | sys/default.nix | 40 |
2 files changed, 46 insertions, 39 deletions
diff --git a/sys/auth.nix b/sys/auth.nix new file mode 100644 index 0000000..e6e156d --- /dev/null +++ b/sys/auth.nix @@ -0,0 +1,45 @@ +{ lib, config, ... }: +with lib; let + cfg = config.local; +in { + config = { + security.pam = { + oath = { + usersFile = "/var/trust/auth/users.oath"; + digits = 6; + window = 30; + }; + + services.sshd.oathAuth = true; + }; + + services.openssh = { + enable = true; + openFirewall = false; + ports = [ 2234 ]; + + forwardX11 = true; + permitRootLogin = "no"; + passwordAuthentication = false; + + hostKeys = [ + { + bits = 4096; + path = "/etc/ssh/ssh_host_rsa_key"; + type = "rsa"; + } + { + path = "/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + #TODO: Desfasar, inseguro + { + path = "/etc/ssh/ssh_host_ecdsa_key"; + type = "ecdsa"; + } + ]; + }; + + networking.firewall.allowedTCPPorts = [ 2234 ]; + }; +} diff --git a/sys/default.nix b/sys/default.nix index 6ea2438..ae1b38f 100644 --- a/sys/default.nix +++ b/sys/default.nix @@ -5,6 +5,7 @@ with lib; let in { imports = [ "${modulesPath}/installer/scan/not-detected.nix" + ./auth.nix ./fs ./options.nix ./users.nix @@ -119,44 +120,5 @@ in { }; environment.systemPackages = [ pkgs.dhcpcd pkgs.git ]; - - security.pam = { - oath = { - usersFile = "/var/trust/auth/users.oath"; - digits = 6; - window = 30; - }; - - services.sshd.oathAuth = true; - }; - - services.openssh = { - enable = true; - openFirewall = false; - ports = [ 2234 ]; - - forwardX11 = true; - permitRootLogin = "no"; - passwordAuthentication = false; - - hostKeys = [ - { - bits = 4096; - path = "/etc/ssh/ssh_host_rsa_key"; - type = "rsa"; - } - { - path = "/etc/ssh/ssh_host_ed25519_key"; - type = "ed25519"; - } - #TODO: Desfasar, inseguro - { - path = "/etc/ssh/ssh_host_ecdsa_key"; - type = "ecdsa"; - } - ]; - }; - - networking.firewall.allowedTCPPorts = [ 2234 ]; }; } |