dadada
e1c562191b
Add system config Split up modules into home and system sets Update Cleanup Move home config Add module attrs Fix empty LUKS device UUID Import local secrets
56 lines
1.2 KiB
Nix
56 lines
1.2 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
|
|
with lib;
|
|
let
|
|
cfg = config.dadada.admin;
|
|
in {
|
|
options.dadada.admin = {
|
|
enable = mkEnableOption "Enable admin access";
|
|
|
|
users = mkOption {
|
|
type = with types; attrsOf (listOf path);
|
|
default = [];
|
|
description = ''
|
|
List of admin users with root access to all the machine.
|
|
'';
|
|
example = literalExample "\"user1\" = [ /path/to/key1 /path/to/key2 ]";
|
|
};
|
|
|
|
rat = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = ''
|
|
Enable NAT and firewall traversal for SSH via tor hidden service
|
|
'';
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
services.sshd.enable = true;
|
|
services.openssh.passwordAuthentication = false;
|
|
security.sudo.wheelNeedsPassword = false;
|
|
|
|
users.mutableUsers = false;
|
|
|
|
users.users = mapAttrs (user: keys: (
|
|
{
|
|
extraGroups = [ "wheel" ];
|
|
isNormalUser = true;
|
|
openssh.authorizedKeys.keyFiles = keys;
|
|
})) cfg.users;
|
|
|
|
networking.firewall.allowedTCPPorts = [ 22 ];
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
vim
|
|
];
|
|
|
|
services.tor.hiddenServices = {
|
|
"rat" = mkIf cfg.rat.enable {
|
|
name = "rat";
|
|
map = [ { port = 22; } ];
|
|
};
|
|
};
|
|
};
|
|
}
|
|
|