zaphyra's git: nixfiles

zaphyra and void's nixfiles

path: /config/nixos/modules/services/openssh.nix 3.11 KB | plain
1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 
26 
27 
28 
29 
30 
31 
32 
33 
34 
35 
36 
37 
38 
39 
40 
41 
42 
43 
44 
45 
46 
47 
48 
49 
50 
51 
52 
53 
54 
55 
56 
57 
58 
59 
60 
61 
62 
63 
64 
65 
66 
67 
68 
69 
70 
71 
72 
73 
74 
75 
76 
77 
78 
79 
80 
81 
82 
83 
84 
85 
86 
87 
88 
89 
90 
91 
92 
93 
94 
95 
96 
97 
98 
99 
100 
101 
102 
103 
104 
105 
106 
107 
108 
109 
110 
111 
112 
113 
114 
115 
116 
117 
118 
119 
120 
121 
122 
123 
124 
125 
126 
127 
128 
129 
130 
131 
132 
133 
134 
135 
{
  povSelf,
  config,
  lib,
  ...
}:
let
  inherit (lib) types;
  cfg = lib.getAttrFromPath povSelf config;

in
{

  options = {
    enable = {
      type = types.bool;
      default = false;
    };
    enableRSASupport = {
      type = types.bool;
      default = false;
    };
    port = {
      type = types.port;
      default = 22;
    };
  };

  config = lib.mkIf cfg.enable {
    users.groups = {
      ssh = {
        gid = 200;
      };
      sftp = {
        gid = 201;
      };
    };

    # this is required because the secrets need to be decryped before the users get created
    # but the impermanence bind-mounts get created _after_ the user creation...
    sops.age.sshKeyPaths = [
      (
        if config.modules.filesystem.impermanence.system.enable then
          "/nix/persist/system/var/lib/sshd/ed25519_hostkey"
        else
          "/var/lib/sshd/ed25519_hostkey"
      )
    ];

    modules.filesystem.impermanence.system.dirs = [ "/var/lib/sshd" ];

    services.openssh = {
      enable = true;

      # Use socket activation via systemd
      startWhenNeeded = true;

      # Hostkeys
      hostKeys = [
        {
          type = "ed25519";
          path = "/var/lib/sshd/ed25519_hostkey";
        }
      ];

      ports = [ cfg.port ];

      # TODO: Find out why the heck this kills my gpg-agent
      # extraConfig = "HostCertificate /run/secrets/hostcert";

      settings = {

        # Disable password authentication to enforce pubkey authentication
        PasswordAuthentication = false;

        # Disable keyboardinteractive authentication
        KbdInteractiveAuthentication = false;

        X11Forwarding = false;

        # Only allow users of the ssh and sftp groups to connect
        AllowGroups = [
          "sftp"
          "ssh"
        ];

        CASignatureAlgorithms = lib.concatStringsSep "," [
          "ssh-ed25519"
          "sk-ssh-ed25519@openssh.com"
        ];

        HostBasedAcceptedAlgorithms = lib.concatStringsSep "," [
          "ssh-ed25519-cert-v01@openssh.com"
          "sk-ssh-ed25519-cert-v01@openssh.com"
          "ssh-ed25519,sk-ssh-ed25519@openssh.com"
        ];

        HostKeyAlgorithms = lib.concatStringsSep "," [
          "ssh-ed25519-cert-v01@openssh.com"
          "sk-ssh-ed25519-cert-v01@openssh.com"
          "ssh-ed25519,sk-ssh-ed25519@openssh.com"
        ];

        PubKeyAcceptedAlgorithms = lib.concatStringsSep "," (
          [
            "ssh-ed25519-cert-v01@openssh.com"
            "sk-ssh-ed25519-cert-v01@openssh.com"
            "ssh-ed25519,sk-ssh-ed25519@openssh.com"
          ]
          ++ (lib.optionals cfg.enableRSASupport [
            "rsa-sha2-512"
          ])
        );

        # Specifies the available KEX (Key Exchange) algorithms
        KexAlgorithms = [
          "curve25519-sha256"
          "curve25519-sha256@libssh.org"
        ];

        # Specifies the available MAC (message authentication code) algorithms
        Macs = [
          "hmac-sha2-512-etm@openssh.com"
          "hmac-sha2-256-etm@openssh.com"
        ];

        Ciphers = [
          "aes256-gcm@openssh.com"
          "aes256-ctr"
        ];
      };
    };
  };

}