blob: 161fe6faa6e3f0ddd339b4604a80f75afc2d0edb (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
{ config, lib, pkgs, ... }:
with lib; let
cfg = config.local.auth.openssh;
withOath = config.local.auth.oath.enable;
port = if cfg.shiftPortNumber then 2234 else 22;
in
{
options.local.auth.openssh = {
enable = mkEnableOption "openssh";
tunnel.enable = mkEnableOption "ssh tunnel user";
#TODO: Desfasar ecdsa, inseguro
hostKeys = listToAttrs (map
(name: {
inherit name;
value = mkOption {
type = types.bool;
default = false;
};
}) [ "ecdsa" "ed25519" "rsa" ]);
restrictListen = mkOption {
default = null;
type = with types; nullOr (submodule {
options = {
address = mkOption {
type = str;
};
interface = mkOption {
type = str;
};
};
});
};
shiftPortNumber = mkOption {
type = types.bool;
default = true;
};
withDeployKeys = mkOption {
type = types.bool;
default = false;
};
};
config = lib.mkIf cfg.enable {
assertions = [
{
assertion = cfg.tunnel.enable -> withOath;
message = "SSH tunnel requires oath";
}
];
local.boot.impermanence.files =
flatten (map (key: [ key.path "${key.path}.pub" ]) config.services.openssh.hostKeys);
networking.firewall.interfaces = optionalAttrs (cfg.restrictListen != null) {
${cfg.restrictListen.interface}.allowedTCPPorts = [ port ];
};
services.openssh = {
enable = true;
ports = [ port ];
openFirewall = cfg.restrictListen == null;
startWhenNeeded = !config.services.fail2ban.enable;
extraConfig = optionalString cfg.tunnel.enable ''
# User 'tunnel' has no password. Use PAM OATH
# and connect with -N, forward with -R.
Match User tunnel
AllowTcpForwarding remote
AllowStreamLocalForwarding no
X11Forwarding no
PermitTunnel no
GatewayPorts no
AllowAgentForwarding no
PermitOpen none
PermitListen 60220 60221 60222 60223 60224 60225 60226 60227 60228 60229
Banner ${pkgs.writeText "tunnel-banner" ''
This is a reverse tunnel
''}
'';
hostKeys = map
(name: {
path = "/etc/ssh/ssh_host_${name}_key";
type = name;
} // optionalAttrs (name == "rsa") {
bits = 4096;
})
(attrNames (filterAttrs (name: enable: enable) cfg.hostKeys));
settings = {
X11Forwarding = true;
PermitRootLogin = "prohibit-password";
PasswordAuthentication = withOath; # Necesario para oath, no reemplaza a oath
};
listenAddresses = mkIf (cfg.restrictListen != null) (singleton {
addr = cfg.restrictListen.address;
});
};
users.users = {
root = mkIf cfg.withDeployKeys {
openssh.authorizedKeys.keyFiles = [ ./ssh-key.pub ];
};
tunnel = mkIf cfg.tunnel.enable {
uid = 1100;
group = "nogroup";
isSystemUser = true;
# Requiere oath
password = "tunnel";
home = "/var/empty";
shell = "${pkgs.coreutils}/bin/true";
};
};
};
}
|
