summaryrefslogtreecommitdiff
path: root/sys/auth/openssh.nix
blob: 2030682db5de9103e5d98032f7afd6125b956314 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86

{ config, lib, pkgs, ... }:
with lib; let
  cfg = config.local.auth.openssh;
  withOath = config.local.auth.oath.enable;
in
{
  options.local.auth.openssh = {
    enable = mkEnableOption "openssh";
    tunnel.enable = mkEnableOption "ssh tunnel user";

    #TODO: Desfasar ecdsa, inseguro
    hostKeys = listToAttrs (map
      (name: {
        inherit name;

        value = mkOption {
          type = types.bool;
          default = false;
        };
      }) [ "ecdsa" "ed25519" "rsa" ]);
  };

  config = lib.mkIf cfg.enable {
    assertions = [
      {
        assertion = cfg.tunnel.enable -> withOath;
        message = "SSH tunnel requires oath";
      }
    ];

    local.boot.impermanence.files =
      flatten (map (key: [ key.path "${key.path}.pub" ]) config.services.openssh.hostKeys);

    services.openssh = {
      enable = true;
      openFirewall = true;
      ports = [ 2234 ];
      startWhenNeeded = true;

      hostKeys = map
        (name: {
          path = "/etc/ssh/ssh_host_${name}_key";
          type = name;
        } // optionalAttrs (name == "rsa") {
          bits = 4096;
        })
        (attrNames (filterAttrs (name: enable: enable) cfg.hostKeys));

      settings = {
        X11Forwarding = true;
        PermitRootLogin = "prohibit-password";
        PasswordAuthentication = withOath; # Necesario para oath, no reemplaza a oath
      };

      extraConfig = optionalString cfg.tunnel.enable ''
        # User 'tunnel' has no password. Use PAM OATH
        # and connect with -N, forward with -R.
        Match User tunnel
           AllowTcpForwarding remote
           AllowStreamLocalForwarding no
           X11Forwarding no
           PermitTunnel no
           GatewayPorts no
           AllowAgentForwarding no
           PermitOpen none
           PermitListen 60220 60221 60222 60223 60224 60225 60226 60227 60228 60229

           Banner ${pkgs.writeText "tunnel-banner" ''
             This is a reverse tunnel
           ''}
      '';
    };

    users.users.tunnel = mkIf cfg.tunnel.enable {
      uid = 1100;
      group = "nogroup";
      isSystemUser = true;

      # Requiere oath
      password = "tunnel";

      home = "/var/empty";
      shell = "${pkgs.coreutils}/bin/true";
    };
  };
}
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-10 19:40:13 +0000