commit 0737e3afb1ca023b553a3a042373bac41b3d3ec2
parent 0c091df17bf82d26ce68070eb51d1a9bf669a756
Author: Vincent Demeester <vincent@sbr.pm>
Date: Sun, 21 Aug 2022 11:28:06 +0200
systems/modules: move ssh from profile to services
And make some option to be set only in kerkouane
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Diffstat:
4 files changed, 67 insertions(+), 22 deletions(-)
diff --git a/systems/hosts/kerkouane.nix b/systems/hosts/kerkouane.nix
@@ -131,10 +131,22 @@ in
profiles = {
git.enable = true;
- ssh.enable = true;
+ # ssh.enable = true;
wireguard.server.enable = true;
};
+ modules.services.ssh = {
+ enable = true;
+ extraConfig = ''
+ Match User nginx
+ ChrootDirectory /var/www
+ ForceCommand interfal-sftp
+ AllowTcpForwarding no
+ PermitTunnel no
+ X11Forwarding no
+ '';
+ };
+
networking.firewall.allowPing = true;
networking.firewall.allowedTCPPorts = [ 80 443 ];
security = {
diff --git a/systems/modules/profiles/ssh.nix b/systems/modules/profiles/ssh.nix
@@ -22,25 +22,10 @@ in
};
};
config = mkIf cfg.enable {
- services = {
- openssh = {
- enable = true;
- startWhenNeeded = false;
- forwardX11 = cfg.forwardX11;
- # listenAddresses = map
- # Move this for kerkouane only
- extraConfig = ''
- StreamLocalBindUnlink yes
- Match User nginx
- ChrootDirectory /var/www
- ForceCommand interfal-sftp
- AllowTcpForwarding no
- PermitTunnel no
- X11Forwarding no
- '';
- };
- sshguard.enable = true;
+ warnings = [ "The option 'profiles.ssh' is deprecated, use 'modules.services.ssh' instead" ];
+ modules.services.ssh = {
+ enable = cfg.enable;
+ listenAddresses = cfg.listenAddresses;
+ forwardX11 = cfg.forwardX11;
};
- programs.mosh.enable = true;
- };
-}
+ }
diff --git a/systems/modules/services/default.nix b/systems/modules/services/default.nix
@@ -3,6 +3,7 @@
./barrier.nix
./govanityurl.nix
./nix-binary-cache.nix
+ ./ssh.nix
./syncthing.nix
./wireguard.client.nix
];
diff --git a/systems/modules/services/ssh.nix b/systems/modules/services/ssh.nix
@@ -0,0 +1,47 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+ cfg = config.modules.services.ssh;
+in
+{
+ options = {
+ modules.services.ssh = {
+ enable = mkEnableOption "Enable ssh profile";
+ listenAddresses = mkOption {
+ type = types.listOf types.str;
+ default = [ ];
+ };
+ forwardX11 = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Whether to allow X11 connections to be forwarded.
+ '';
+ };
+ extraConfig = mkOption {
+ type = types.lines;
+ default = "";
+ description = "Verbatim contents of <filename>sshd_config</filename>.";
+ };
+ };
+ };
+ config = mkIf cfg.enable {
+ warnings = [ "The option 'profiles.ssh' is deprecated, use 'modules.services.ssh' instead" ];
+ services = {
+ openssh = {
+ enable = true;
+ startWhenNeeded = false;
+ forwardX11 = cfg.forwardX11;
+ # listenAddresses = map
+ # Move this for kerkouane only
+ extraConfig = ''
+ StreamLocalBindUnlink yes
+ ${cg.extraConfig}
+ '';
+ };
+ sshguard.enable = true;
+ };
+ programs.mosh.enable = true;
+ };
+}