feat(auth): add openssh options

2024-01-02 14:49:54 +08:00 · 2024-01-02 14:49:54 +08:00 · cfa224c632
parent 6517ca329d
commit cfa224c632
1 changed files with 49 additions and 0 deletions
--- a/faucet/auth/default.nix
+++ b/faucet/auth/default.nix
@ -0,0 +1,49 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.faucet.auth;
+  pub = lib.pipe ./pub [
+    builtins.readDir
+    (lib.filterAttrs (n: ty: ty == "regular"))
+    (lib.mapAttrsToList (n: _: builtins.readFile ./pub/${n}))
+  ];
+in {
+  options.faucet.auth = {
+    enable = mkEnableOption "identity authentication in various software" // { default = true; };
+    openssh = {
+      enable = mkEnableOption "openssh server";
+      password = mkEnableOption "password authentication";
+      publicKeys = mkOption {
+        type = with types; listOf str;
+        default = pub;
+        description = "list of trusted openssh keys";
+      };
+      addr = mkOption {
+        type = with types; nullOr str;
+        default = "0.0.0.0";
+        description = "Host, IPv4 or IPv6 address to listen to.";
+      };
+      port = mkOption {
+        type = with types; nullOr int;
+        default = 22;
+        description = "Port to listen to.";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.openssh = mkIf cfg.openssh.enable {
+      enable = true;
+      listenAddresses = [ { inherit (cfg.openssh) addr port; } ];
+      settings.KbdInteractiveAuthentication = cfg.openssh.password;
+      settings.PasswordAuthentication = cfg.openssh.password;
+    };
+
+    networking.firewall.allowedTCPPorts = [ ] ++
+    optional (cfg.openssh.enable && (cfg.openssh.port != null)) cfg.openssh.port;
+
+    environment.persistence."/nix/persist/fhs".directories = [ ] ++
+    optional cfg.openssh.enable "/etc/ssh";
+  };
+}