mirror of
https://github.com/Swarsel/.dotfiles.git
synced 2025-12-06 17:17:22 +01:00
67 lines
1.7 KiB
Nix
67 lines
1.7 KiB
Nix
{ self, lib, config, ... }:
|
|
{
|
|
options.swarselmodules.server.bastion = lib.mkEnableOption "enable bastion on server";
|
|
config = lib.mkIf config.swarselmodules.server.bastion {
|
|
|
|
users = {
|
|
groups = {
|
|
jump = { };
|
|
};
|
|
users = {
|
|
"jump" = {
|
|
isNormalUser = true;
|
|
useDefaultShell = true;
|
|
group = lib.mkForce "jump";
|
|
createHome = lib.mkForce true;
|
|
openssh.authorizedKeys.keyFiles = [
|
|
(self + /secrets/public/ssh/yubikey.pub)
|
|
(self + /secrets/public/ssh/magicant.pub)
|
|
(self + /secrets/public/ssh/builder.pub)
|
|
];
|
|
};
|
|
};
|
|
};
|
|
|
|
|
|
services.openssh = {
|
|
enable = true;
|
|
startWhenNeeded = lib.mkForce false;
|
|
authorizedKeysInHomedir = false;
|
|
extraConfig = ''
|
|
Match User jump
|
|
PermitTTY no
|
|
X11Forwarding no
|
|
PermitTunnel no
|
|
GatewayPorts no
|
|
AllowAgentForwarding no
|
|
'';
|
|
settings = {
|
|
PasswordAuthentication = false;
|
|
KbdInteractiveAuthentication = false;
|
|
PermitRootLogin = lib.mkDefault "no";
|
|
AllowUsers = [
|
|
"jump"
|
|
];
|
|
};
|
|
hostKeys = lib.mkIf (!config.swarselmodules.server.ssh) [
|
|
{
|
|
path = "/etc/ssh/ssh_host_ed25519_key";
|
|
type = "ed25519";
|
|
}
|
|
];
|
|
};
|
|
|
|
home-manager.users.jump.config = {
|
|
home.stateVersion = lib.mkDefault "23.05";
|
|
programs.ssh = {
|
|
enable = true;
|
|
enableDefaultConfig = false;
|
|
matchBlocks = {
|
|
"*" = {
|
|
forwardAgent = false;
|
|
};
|
|
} // config.repo.secrets.local.ssh.hosts;
|
|
};
|
|
};
|
|
};
|
|
}
|