home

My NixOS systems configurations.
Log | Files | Refs | LICENSE

commit 0737e3afb1ca023b553a3a042373bac41b3d3ec2
parent 0c091df17bf82d26ce68070eb51d1a9bf669a756
Author: Vincent Demeester <vincent@sbr.pm>
Date:   Sun, 21 Aug 2022 11:28:06 +0200

systems/modules: move ssh from profile to services

And make some option to be set only in kerkouane

Signed-off-by: Vincent Demeester <vincent@sbr.pm>

Diffstat:
Msystems/hosts/kerkouane.nix | 14+++++++++++++-
Msystems/modules/profiles/ssh.nix | 27++++++---------------------
Msystems/modules/services/default.nix | 1+
Asystems/modules/services/ssh.nix | 47+++++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 67 insertions(+), 22 deletions(-)

diff --git a/systems/hosts/kerkouane.nix b/systems/hosts/kerkouane.nix @@ -131,10 +131,22 @@ in profiles = { git.enable = true; - ssh.enable = true; + # ssh.enable = true; wireguard.server.enable = true; }; + modules.services.ssh = { + enable = true; + extraConfig = '' + Match User nginx + ChrootDirectory /var/www + ForceCommand interfal-sftp + AllowTcpForwarding no + PermitTunnel no + X11Forwarding no + ''; + }; + networking.firewall.allowPing = true; networking.firewall.allowedTCPPorts = [ 80 443 ]; security = { diff --git a/systems/modules/profiles/ssh.nix b/systems/modules/profiles/ssh.nix @@ -22,25 +22,10 @@ in }; }; config = mkIf cfg.enable { - services = { - openssh = { - enable = true; - startWhenNeeded = false; - forwardX11 = cfg.forwardX11; - # listenAddresses = map - # Move this for kerkouane only - extraConfig = '' - StreamLocalBindUnlink yes - Match User nginx - ChrootDirectory /var/www - ForceCommand interfal-sftp - AllowTcpForwarding no - PermitTunnel no - X11Forwarding no - ''; - }; - sshguard.enable = true; + warnings = [ "The option 'profiles.ssh' is deprecated, use 'modules.services.ssh' instead" ]; + modules.services.ssh = { + enable = cfg.enable; + listenAddresses = cfg.listenAddresses; + forwardX11 = cfg.forwardX11; }; - programs.mosh.enable = true; - }; -} + } diff --git a/systems/modules/services/default.nix b/systems/modules/services/default.nix @@ -3,6 +3,7 @@ ./barrier.nix ./govanityurl.nix ./nix-binary-cache.nix + ./ssh.nix ./syncthing.nix ./wireguard.client.nix ]; diff --git a/systems/modules/services/ssh.nix b/systems/modules/services/ssh.nix @@ -0,0 +1,47 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.modules.services.ssh; +in +{ + options = { + modules.services.ssh = { + enable = mkEnableOption "Enable ssh profile"; + listenAddresses = mkOption { + type = types.listOf types.str; + default = [ ]; + }; + forwardX11 = mkOption { + type = types.bool; + default = false; + description = '' + Whether to allow X11 connections to be forwarded. + ''; + }; + extraConfig = mkOption { + type = types.lines; + default = ""; + description = "Verbatim contents of <filename>sshd_config</filename>."; + }; + }; + }; + config = mkIf cfg.enable { + warnings = [ "The option 'profiles.ssh' is deprecated, use 'modules.services.ssh' instead" ]; + services = { + openssh = { + enable = true; + startWhenNeeded = false; + forwardX11 = cfg.forwardX11; + # listenAddresses = map + # Move this for kerkouane only + extraConfig = '' + StreamLocalBindUnlink yes + ${cg.extraConfig} + ''; + }; + sshguard.enable = true; + }; + programs.mosh.enable = true; + }; +}