zaphyra's git: nixfiles

zaphyra and void's nixfiles

commit 3f657a0d8e07a51381c3076fd337e8c795df3a01
parent 7eea0bce1911757e5863d8bb0323d520c7f835db
Author: Katja (ctucx) <git@ctu.cx>
Date: Tue, 20 May 2025 12:30:08 +0200

config/nixos/modules/services: add `openssh` module (and enable in katja-preset)

4 files changed, 134 insertions(+), 5 deletions(-)
M
config/nixos/modules/presets/katja/enable.nix
|
19
+++++++++++++++----
A
config/nixos/modules/services/openssh.nix
|
117
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
M
config/nixos/modules/sops.nix
|
2
+-
M
config/nixos/modules/users/katja.nix
|
1
+
diff --git a/config/nixos/modules/presets/katja/enable.nix b/config/nixos/modules/presets/katja/enable.nix
@@ -19,17 +19,28 @@ in
   };
 
   config = lib.mkIf cfg {
-    users.users.root.openssh.authorizedKeys.keys = [
-      (builtins.readFile "${pkgs.ctucx-website}/ssh_pubkey.asc")
-    ];
+    users.users.root = {
+      extraGroups = [ "ssh" ];
+      openssh.authorizedKeys.keys = [
+        (builtins.readFile "${pkgs.ctucx-website}/ssh_pubkey.asc")
+      ];
+    };
 
     modules = {
       presets.katja = {
         syncthing.enable = lib.mkDefault true;
       };
 
-      services.keyd.enable = lib.mkDefault true;
       hardware.smartcard.enable = lib.mkDefault config.modules.presets.graphical.enable;
+
+      services = {
+        keyd.enable = lib.mkDefault config.modules.presets.graphical.enable;
+        openssh = {
+          enable = lib.mkDefault true;
+          enableRSASupport = lib.mkDefault true;
+        };
+#        prometheus-exporters.enable = lib.mkDefault true;
+      };
     };
   };
 

diff --git a/config/nixos/modules/services/openssh.nix b/config/nixos/modules/services/openssh.nix
@@ -0,0 +1,117 @@
+{
+  povSelf,
+  config,
+  lib,
+  ...
+}:
+let
+  inherit (lib) types;
+  cfg = lib.getAttrFromPath povSelf config;
+
+in
+{
+
+  options = {
+    enable = {
+      type = types.bool;
+      default = false;
+    };
+    enableRSASupport = {
+      type = types.bool;
+      default = false;
+    };
+    port = {
+      type = types.port;
+      default = 22;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.groups = {
+      ssh = {
+        gid = 200;
+      };
+      sftp = {
+        gid = 201;
+      };
+    };
+
+    services.openssh = {
+      enable = true;
+
+      # Use socket activation via systemd
+      startWhenNeeded = true;
+
+      # Hostkeys
+      hostKeys = [
+        {
+          type = "ed25519";
+          path = "/etc/ssh/ed25519_hostkey";
+        }
+      ];
+
+      ports = [ cfg.port ];
+
+      # TODO: Find out why the heck this kills my gpg-agent
+      # extraConfig = "HostCertificate /run/secrets/hostcert";
+
+      settings = {
+
+        # Disable password authentication to enforce pubkey authentication
+        PasswordAuthentication = false;
+
+        # Disable keyboardinteractive authentication
+        KbdInteractiveAuthentication = false;
+
+        # Only allow users of the ssh and sftp groups to connect
+        AllowGroups = [
+          "sftp"
+          "ssh"
+        ];
+
+        CASignatureAlgorithms = lib.concatStringsSep "," [
+          "ssh-ed25519"
+          "sk-ssh-ed25519@openssh.com"
+        ];
+
+        HostBasedAcceptedAlgorithms = lib.concatStringsSep "," [
+          "ssh-ed25519-cert-v01@openssh.com"
+          "sk-ssh-ed25519-cert-v01@openssh.com"
+          "ssh-ed25519,sk-ssh-ed25519@openssh.com"
+        ];
+
+        HostKeyAlgorithms = lib.concatStringsSep "," [
+          "ssh-ed25519-cert-v01@openssh.com"
+          "sk-ssh-ed25519-cert-v01@openssh.com"
+          "ssh-ed25519,sk-ssh-ed25519@openssh.com"
+        ];
+
+        PubKeyAcceptedAlgorithms = lib.concatStringsSep "," ([
+          "ssh-ed25519-cert-v01@openssh.com"
+          "sk-ssh-ed25519-cert-v01@openssh.com"
+          "ssh-ed25519,sk-ssh-ed25519@openssh.com"
+        ] ++ (lib.optionals cfg.enableRSASupport [
+          "rsa-sha2-512"
+        ]));
+
+        # Specifies the available KEX (Key Exchange) algorithms
+        KexAlgorithms = [
+          "curve25519-sha256"
+          "curve25519-sha256@libssh.org"
+        ];
+
+        # Specifies the available MAC (message authentication code) algorithms
+        Macs = [
+          "hmac-sha2-512-etm@openssh.com"
+          "hmac-sha2-256-etm@openssh.com"
+        ];
+
+        Ciphers = [
+          "aes256-gcm@openssh.com"
+          "aes256-ctr"
+        ];
+      };
+    };
+  };
+
+}

diff --git a/config/nixos/modules/sops.nix b/config/nixos/modules/sops.nix
@@ -22,7 +22,7 @@ in
   config = lib.mkIf cfg.enable {
     sops = {
       defaultSopsFile = inputs.self.sopsSecrets.${config.networking.hostName};
-      age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+      age.sshKeyPaths = [ "/etc/ssh/ed25519_hostkey" ];
     };
   };
 

diff --git a/config/nixos/modules/users/katja.nix b/config/nixos/modules/users/katja.nix
@@ -31,6 +31,7 @@ in
       hashedPasswordFile = config.sops.secrets.katjaPassword.path;
       isNormalUser = true;
       extraGroups = [
+        "ssh"
         "wheel"
       ];
       openssh.authorizedKeys.keys = [