85 lines
2 KiB
Nix
85 lines
2 KiB
Nix
{ pkgs, config, lib, ... }:
|
|
|
|
with lib;
|
|
with types;
|
|
|
|
let
|
|
cfg = config.component.network.sshd;
|
|
defaultRootKeyFiles = [ (toString ../../../assets/ssh/palo_rsa.pub) ];
|
|
in
|
|
{
|
|
|
|
imports = [
|
|
./known-hosts-bootup.nix
|
|
./known-hosts-private.nix
|
|
./known-hosts-public.nix
|
|
];
|
|
|
|
options.component.network.sshd = {
|
|
enable = mkOption {
|
|
type = bool;
|
|
default = true;
|
|
description = "add ssh tools";
|
|
};
|
|
rootKeyFiles = mkOption {
|
|
type = with types; listOf path;
|
|
default = [ ];
|
|
description = "keys to root login";
|
|
};
|
|
tools.enable = mkOption {
|
|
type = bool;
|
|
default = true;
|
|
description = "add ssh tools";
|
|
};
|
|
onlyTincAccess = mkOption {
|
|
type = bool;
|
|
default = false;
|
|
description = ''
|
|
make sure ssh is only available trough the tinc
|
|
'';
|
|
};
|
|
};
|
|
|
|
config = mkMerge [
|
|
|
|
(mkIf cfg.tools.enable {
|
|
environment.systemPackages = [ pkgs.sshfs ];
|
|
})
|
|
|
|
(mkIf cfg.enable {
|
|
|
|
services.openssh = {
|
|
enable = true;
|
|
forwardX11 = false;
|
|
passwordAuthentication = false;
|
|
};
|
|
|
|
users.users.root.openssh.authorizedKeys.keyFiles =
|
|
cfg.rootKeyFiles ++ defaultRootKeyFiles;
|
|
|
|
services.openssh.extraConfig = ''
|
|
Banner /etc/ssh/banner-line
|
|
'';
|
|
|
|
environment.etc."ssh/banner-line".text =
|
|
let
|
|
text = config.networking.hostName;
|
|
size = 80 - (lib.stringLength text);
|
|
space = lib.fixedWidthString size " " "";
|
|
in
|
|
''
|
|
────────────────────────────────────────────────────────────────────────────────
|
|
${space}${text}
|
|
'';
|
|
|
|
})
|
|
|
|
(mkIf (cfg.onlyTincAccess && cfg.enable) {
|
|
networking.firewall.extraCommands = ''
|
|
iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0
|
|
'';
|
|
})
|
|
];
|
|
|
|
}
|