62 lines
1.7 KiB
Nix
62 lines
1.7 KiB
Nix
{
|
|
pkgs,
|
|
lib,
|
|
config,
|
|
...
|
|
}:
|
|
with lib;
|
|
let
|
|
cfg = config.global.auth;
|
|
pub = lib.pipe ./pub [
|
|
builtins.readDir
|
|
(lib.filterAttrs (n: ty: ty == "regular"))
|
|
(lib.mapAttrsToList (n: _: builtins.readFile ./pub/${n}))
|
|
(foldr (payload: keys: (splitString "\n" payload) ++ keys) [ ])
|
|
(foldr (candidate: keys: keys ++ (if candidate == "" then [ ] else [ candidate ])) [ ])
|
|
];
|
|
in
|
|
{
|
|
options.global.auth = {
|
|
enable = mkEnableOption "identity authentication in various software" // {
|
|
default = true;
|
|
};
|
|
openssh = {
|
|
enable = mkEnableOption "openssh server";
|
|
password = mkEnableOption "password authentication";
|
|
publicKeys = mkOption {
|
|
type = with types; listOf singleLineStr;
|
|
default = pub;
|
|
description = "list of trusted openssh keys";
|
|
};
|
|
addr = mkOption {
|
|
type = with types; nullOr str;
|
|
default = "0.0.0.0";
|
|
description = "Host, IPv4 or IPv6 address to listen to.";
|
|
};
|
|
port = mkOption {
|
|
type = with types; nullOr int;
|
|
default = 22;
|
|
description = "Port to listen to.";
|
|
};
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
services.openssh = mkIf cfg.openssh.enable {
|
|
enable = true;
|
|
listenAddresses = [ { inherit (cfg.openssh) addr port; } ];
|
|
settings.KbdInteractiveAuthentication = cfg.openssh.password;
|
|
settings.PasswordAuthentication = cfg.openssh.password;
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts =
|
|
[ 1300 ]
|
|
# utility port
|
|
++ optional (cfg.openssh.enable && (cfg.openssh.port != null)) cfg.openssh.port;
|
|
|
|
environment.persistence."/nix/persist/fhs".directories =
|
|
[ ]
|
|
++ optional cfg.openssh.enable "/etc/ssh";
|
|
};
|
|
}
|