port to flakes

2021-06-13 13:43:21 +02:00 · 2021-06-13 13:43:21 +02:00 · 2d9150098e
commit 2d9150098e
parent deaa4fb75c
76 changed files with 721 additions and 315 deletions
--- a/nixos/modules/admin.nix
+++ b/nixos/modules/admin.nix
@ -0,0 +1,61 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+let
+  cfg = config.dadada.admin;
+in
+{
+  options = {
+    dadada.admin = {
+      enable = mkEnableOption "Enable admin access";
+
+      users = mkOption {
+        type = with types; attrsOf (listOf path);
+        default = [ ];
+        description = ''
+          List of admin users with root access to all the machine.
+        '';
+        example = literalExample "\"user1\" = [ /path/to/key1 /path/to/key2 ]";
+      };
+
+      rat = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Enable NAT and firewall traversal for SSH via tor hidden service
+        '';
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.sshd.enable = true;
+    services.openssh.passwordAuthentication = false;
+    security.sudo.wheelNeedsPassword = false;
+
+    users.users = mapAttrs
+      (user: keys: (
+        {
+          extraGroups = [ "wheel" ];
+          isNormalUser = true;
+          openssh.authorizedKeys.keyFiles = keys;
+        }))
+      cfg.users;
+
+    users.mutableUsers = mkDefault false;
+
+    networking.firewall.allowedTCPPorts = [ 22 ];
+
+    environment.systemPackages = with pkgs; [
+      vim
+      tmux
+    ];
+
+    services.tor.relay.onionServices = {
+      "rat" = mkIf cfg.rat.enable {
+        name = "rat";
+        map = [{ port = 22; }];
+      };
+    };
+  };
+}