mirror of
https://github.com/gensokyo-zone/infrastructure.git
synced 2026-02-09 20:39:18 -08:00
50 lines
1.2 KiB
Nix
50 lines
1.2 KiB
Nix
{
|
|
pkgs,
|
|
config,
|
|
lib,
|
|
...
|
|
}: let
|
|
inherit (lib.modules) mkAfter mkForce;
|
|
sshPort = 41022;
|
|
username = "tf-proxmox";
|
|
sshJump = pkgs.writeShellScript "ssh-jump-${username}" ''
|
|
exec ssh -T \
|
|
-oUpdateHostKeys=yes \
|
|
-i ${config.sops.secrets.tf-proxmox-identity.path} \
|
|
tf@reisen.local.${config.networking.domain} \
|
|
-- "$SSH_ORIGINAL_COMMAND"
|
|
'';
|
|
in {
|
|
users.users.${username} = {
|
|
uid = 4000;
|
|
hashedPasswordFile = config.sops.secrets.tf-proxmox-passwd.path;
|
|
isNormalUser = true;
|
|
autoSubUidGidRange = false;
|
|
group = username;
|
|
openssh.matchBlock.settings = {
|
|
# PasswordAuthentication works too
|
|
KbdInteractiveAuthentication = true;
|
|
ForceCommand = sshJump;
|
|
};
|
|
};
|
|
users.groups.${username} = {
|
|
gid = config.users.users.${username}.uid;
|
|
};
|
|
|
|
services.openssh = {
|
|
ports = mkAfter [sshPort];
|
|
};
|
|
# required for kbd or password authentication
|
|
security.pam.services.sshd.unixAuth = mkForce true;
|
|
|
|
networking.firewall.allowedTCPPorts = [sshPort];
|
|
|
|
sops.secrets = {
|
|
tf-proxmox-passwd = {
|
|
neededForUsers = true;
|
|
};
|
|
tf-proxmox-identity = {
|
|
owner = username;
|
|
};
|
|
};
|
|
}
|