raboof/liminix
1
0
Fork 0
forked from dan/liminix
Code Pull Requests Activity
99f68e5421
liminix/modules/ssh/default.nix
Daniel Barlow 869a508c0a add authorizedKeys option to ssh service 
this has no apparent use as it stands, but opens the door to
having the keys managed by an external secrets service
2024-08-23 20:35:07 +01:00

62 lines
2.0 KiB
Nix
Raw Blame History

## Secure Shell
## ============
##
## Provide SSH service using Dropbear
{ lib, pkgs, config, ...}:
let
inherit (lib) mkOption types;
inherit (pkgs) liminix;
mkBoolOption = description : mkOption {
type = types.bool;
inherit description;
default = true;
};
in {
options = {
system.service.ssh = mkOption {
type = liminix.lib.types.serviceDefn;
};
};
config.programs.busybox.options.FEATURE_FANCY_ECHO = "y";
config.system.service = {
ssh = config.system.callService ./ssh.nix {
address = mkOption {
type = types.nullOr types.str;
default = null;
description = "Listen on specified address";
example = "127.0.0.1";
};
port = mkOption {
type = types.port;
default = 22;
description = "Listen on specified TCP port";
};
allowRoot = mkBoolOption "Allow root to login";
allowPasswordLogin = mkBoolOption "Allow login using password (disable for public key auth only)";
allowPasswordLoginForRoot = mkBoolOption "Allow root to login using password (disable for public key auth only)";
allowLocalPortForward = mkBoolOption "Enable local port forwarding";
allowRemotePortForward = mkBoolOption "Enable remote port forwarding";
allowRemoteConnectionToForwardedPorts = mkOption {
type = types.bool; default = false;
description = "Allow remote hosts to connect to local forwarded ports (by default they are bound to loopback)";
};
authorizedKeys = mkOption {
type = types.nullOr (types.attrsOf (types.listOf types.nonEmptyStr));
example = {
root = ["ssh-rsa AAAAB3N...aZaZ"];
alice = ["ssh-rsa AAAAB3N...qS4r"];
bob = [];
};
default = null;
description = "Authorized SSH public keys for each username. If this optin is provided it overrides any keys found in /home/{username}/.ssh";
};
extraConfig = mkOption {
type = types.separatedString " ";
default = "";
};
};
};
}
View Git Blame Copy Permalink