From 48d2ef9f8bc681e73380f89872fa55a0a86e9161 Mon Sep 17 00:00:00 2001
From: Alejandro Soto <alejandro@34project.org>
Date: Mon, 8 Aug 2022 04:05:05 -0600
Subject: sys/auth: move out of sys/default.nix

---
 sys/auth.nix | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 sys/auth.nix

(limited to 'sys/auth.nix')

diff --git a/sys/auth.nix b/sys/auth.nix
new file mode 100644
index 0000000..e6e156d
--- /dev/null
+++ b/sys/auth.nix
@@ -0,0 +1,45 @@
+{ lib, config, ... }:
+with lib; let
+  cfg = config.local;
+in {
+  config = {
+    security.pam = {
+      oath = {
+        usersFile = "/var/trust/auth/users.oath";
+        digits = 6;
+        window = 30;
+      };
+
+      services.sshd.oathAuth = true;
+    };
+
+    services.openssh = {
+      enable = true;
+      openFirewall = false;
+      ports = [ 2234 ];
+
+      forwardX11 = true;
+      permitRootLogin = "no";
+      passwordAuthentication = false;
+
+      hostKeys = [
+        {
+          bits = 4096;
+          path = "/etc/ssh/ssh_host_rsa_key";
+          type = "rsa";
+        }
+        {
+          path = "/etc/ssh/ssh_host_ed25519_key";
+          type = "ed25519";
+        }
+        #TODO: Desfasar, inseguro
+        {
+          path = "/etc/ssh/ssh_host_ecdsa_key";
+          type = "ecdsa";
+        }
+      ];
+    };
+
+    networking.firewall.allowedTCPPorts = [ 2234 ];
+  };
+}
-- 
cgit v1.2.3