diff --git a/nixos/install.sh b/nixos/install.sh index bed852c..e807fcb 100755 --- a/nixos/install.sh +++ b/nixos/install.sh @@ -12,10 +12,15 @@ DIR=$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd ) echo "Installing NixOS modules..." if [ -d /etc/nixos/modules ]; then - echo "Directory /etc/nixos/modules exists - exiting." - exit 2 + echo "Directory /etc/nixos/modules exists - skipping." +else + sudo ln -s $DIR/modules /etc/nixos/modules || echo "Could not link modules" fi -sudo ln -s $DIR/modules /etc/nixos/modules +if [ -d /etc/nixos/ssh ]; then + echo "Directory /etc/nixos/ssh exists - skipping." +else + sudo ln -s $DIR/../ssh /etc/nixos/ssh || echo "Could not link ssh assets" +fi echo "Done." diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix index 07e086e..5a2cac1 100644 --- a/nixos/modules/default.nix +++ b/nixos/modules/default.nix @@ -8,6 +8,7 @@ in { ./audio.nix ./desktop.nix ./yubikey.nix + ./ssh.nix ]; options.kevin = { @@ -21,14 +22,15 @@ in { ({ nixpkgs.config.allowUnfree = true; i18n.defaultLocale = "en_US.UTF-8"; - + kevin.ssh.server.enable = true; + console = { font = "Lat2-Terminus16"; keyMap = "de"; }; - services.xserver.layout = "de"; - + services.xserver.layout = "de"; + environment.systemPackages = with pkgs; [ vim wget @@ -77,6 +79,7 @@ in { description = "Kevin Kandlbinder"; extraGroups = [ "wheel" "docker" "dialout" ]; }; + kevin.ssh.authorized.kevin = true; }) (mkIf (cfg.defaults == "laptop") { kevin.power.mode = "laptop"; diff --git a/nixos/modules/networking.nix b/nixos/modules/networking.nix index 5e66db1..de0333e 100644 --- a/nixos/modules/networking.nix +++ b/nixos/modules/networking.nix @@ -6,6 +6,7 @@ in { options.kevin.networking = { enable = mkEnableOption "kevins networking"; avahi.enable = mkEnableOption "avahi"; + ssh.enable = mkEnableOption "ssh"; firewall.wireguard = mkEnableOption "wireguard exceptions"; firewall.syncthing = mkEnableOption "syncthing exceptions"; }; @@ -24,6 +25,17 @@ in { networking.firewall.allowedUDPPorts = [ 5353 ]; }) + (mkIf cfg.ssh.enable { + services.openssh = { + enable = true; + # require public key authentication for better security + passwordAuthentication = false; + kbdInteractiveAuthentication = false; + #permitRootLogin = "yes"; + }; + + networking.firewall.allowedTCPPorts = [ 22 ]; + }) (mkIf cfg.firewall.wireguard { networking.firewall = { # if packets are still dropped, they will show up in dmesg diff --git a/nixos/modules/ssh.nix b/nixos/modules/ssh.nix new file mode 100644 index 0000000..718f811 --- /dev/null +++ b/nixos/modules/ssh.nix @@ -0,0 +1,21 @@ +{ lib, pkgs, config, ... }: +with lib; +let + cfg = config.kevin.ssh; +in { + options.kevin.ssh = { + server.enable = mkEnableOption "kevins ssh"; + authorized.kevin = mkEnableOption "set authorized for kevin"; + }; + + config = mkMerge [ + (mkIf cfg.server.enable { + kevin.networking.ssh.enable = true; + }) + (mkIf cfg.authorized.kevin { + users.users."kevin".openssh.authorizedKeys.keyFiles = [ + /etc/nixos/ssh/kevin/authorized_keys + ]; + }) + ]; +} diff --git a/ssh/kevin/authorized_keys b/ssh/kevin/authorized_keys new file mode 100644 index 0000000..5b90756 --- /dev/null +++ b/ssh/kevin/authorized_keys @@ -0,0 +1,2 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCdy62Rfguq7ROHYM278gXq81niSHt1vWPypedyOnHVsATy15JWOmyln4H6xo9GeA7Sp/6QarSjn0fRHPMM/4jvRV960eyHs0yQGjLe8OPA2lKvZpKsWiVczQlcoeWahkEjp6SNwyc7eHg31rOH+TSAJ846jz/HKpq5YY/jcswttDzx/u1XeXqlJZ9CStyEw7von6vtDkH7bkUW6BurhQSts4p3VlXTMZmpg51Ur5orgxojro0Mmp5Sai3i4GVBQWp00r4WHnw/qme+c3RQPcSwwToLKCip+7HALVm7J6SrGUhmPlEiTvCglcI+jWn37wXxS1Mxd2+YdSkxVzdbxAReNSsA49H7QqfbmwltpAV02qSG7B7a8aa/l6UVXFE54U/ZSg/0vBJeT2noBv1g9F6VYZezE7GD2HcHGS73eZuK3cklL8ih5GTqniEk/opnma3v5BA1X8RPsLOd8LnjIA71Jzl5mwhDEbJdN2iTNE9UaqiCdXPPWESmrgRUdPEDvEk= kevin@kevin-tp-l580 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFB0N+8UFxknoCQvp5N2UPL7BiRlAPz8TguysufpcOqw kevin@kevin-PC