swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2026-04-14 21:29:12 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
.dotfiles/modules/nixos/server/bastion.nix
Leon Schwarzäugl 52554d4f92
Some checks failed
Build and Deploy / build (push) Has been cancelled
Details
Flake check / Check flake (push) Has been cancelled
Details
Build and Deploy / deploy (push) Has been cancelled
Details
chore: update flake
2026-02-01 22:18:01 +01:00

70 lines
1.8 KiB
Nix
Raw Blame History

{ self, lib, config, withHomeManager, confLib, ... }:
{
options.swarselmodules.server.bastion = lib.mkEnableOption "enable bastion on server";
config = lib.mkIf config.swarselmodules.server.bastion ({
users = {
persistentIds.jump = confLib.mkIds 1001;
groups = {
jump = { };
};
users = {
jump = {
autoSubUidGidRange = false;
isNormalUser = true;
useDefaultShell = true;
group = lib.mkForce "jump";
createHome = lib.mkForce true;
openssh.authorizedKeys.keyFiles = [
(self + /secrets/public/ssh/yubikey.pub)
(self + /secrets/public/ssh/magicant.pub)
(self + /secrets/public/ssh/builder.pub)
];
};
};
};
services.openssh = {
enable = true;
startWhenNeeded = lib.mkForce false;
authorizedKeysInHomedir = false;
extraConfig = ''
Match User jump
PermitTTY no
X11Forwarding no
PermitTunnel no
GatewayPorts no
AllowAgentForwarding no
'';
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = lib.mkDefault "no";
AllowUsers = [
"jump"
];
};
hostKeys = lib.mkIf (!config.swarselmodules.server.ssh) [
{
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
} // lib.optionalAttrs withHomeManager {
home-manager.users.jump.config = {
home.stateVersion = lib.mkDefault "23.05";
programs.ssh = {
enable = true;
enableDefaultConfig = false;
matchBlocks = {
"*" = {
forwardAgent = false;
};
} // config.repo.secrets.local.ssh.hosts;
};
};
});
}
Reference in a new issue View git blame Copy permalink