2021-02-23 12:58:29 -08:00
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
|
|
|
|
|
|
with lib;
|
|
|
|
|
let
|
|
|
|
|
# Available to all users on the system. Keep it minimal.
|
2021-03-25 09:40:45 -07:00
|
|
|
global-packages = with pkgs; [ bind git heimdal openssh_gssapi vim wget ];
|
2021-02-23 12:58:29 -08:00
|
|
|
|
|
|
|
|
in {
|
|
|
|
|
environment = {
|
|
|
|
|
etc.current-nixos-config.source = ../../.;
|
|
|
|
|
|
|
|
|
|
systemPackages = global-packages;
|
|
|
|
|
|
2021-04-10 13:25:43 -07:00
|
|
|
# shellInit = ''
|
|
|
|
|
# ${pkgs.gnupg}/bin/gpg-connect-agent /bye
|
|
|
|
|
# export SSH_AUTH_SOCK=$(${pkgs.gnupg}/bin/gpgconf --list-dirs agent-ssh-socket)
|
|
|
|
|
# '';
|
2021-02-23 12:58:29 -08:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
nixpkgs.config.allowUnfree = true;
|
|
|
|
|
security.acme.acceptTerms = true;
|
|
|
|
|
|
2021-03-13 16:22:23 -08:00
|
|
|
krb5 = {
|
2021-03-15 12:39:57 -07:00
|
|
|
enable = true;
|
|
|
|
|
|
2021-03-16 19:47:13 -07:00
|
|
|
appdefaults = {
|
|
|
|
|
forwardable = true;
|
|
|
|
|
proxiable = true;
|
|
|
|
|
encrypt = true;
|
|
|
|
|
forward = true;
|
|
|
|
|
};
|
|
|
|
|
|
2021-03-13 16:22:23 -08:00
|
|
|
libdefaults = {
|
2021-04-12 13:38:56 -07:00
|
|
|
allow_weak_crypto = true;
|
2021-03-13 16:22:23 -08:00
|
|
|
dns_lookup_kdc = true;
|
2021-03-16 19:47:13 -07:00
|
|
|
dns_lookup_realm = true;
|
2021-03-13 16:22:23 -08:00
|
|
|
forwardable = true;
|
|
|
|
|
proxiable = true;
|
|
|
|
|
};
|
2021-03-16 19:47:13 -07:00
|
|
|
|
|
|
|
|
kerberos = pkgs.heimdalFull;
|
2021-03-13 16:22:23 -08:00
|
|
|
};
|
|
|
|
|
|
2021-02-23 12:58:29 -08:00
|
|
|
services = {
|
|
|
|
|
openssh = {
|
|
|
|
|
enable = true;
|
|
|
|
|
startWhenNeeded = true;
|
2021-04-09 17:36:28 -07:00
|
|
|
# useDns = true;
|
2021-02-23 12:58:29 -08:00
|
|
|
permitRootLogin = "prohibit-password";
|
|
|
|
|
extraConfig = ''
|
|
|
|
|
GSSAPIAuthentication yes
|
|
|
|
|
GSSAPICleanupCredentials yes
|
2021-03-25 10:18:12 -07:00
|
|
|
GSSAPIKeyExchange yes
|
|
|
|
|
GSSAPIStoreCredentialsOnRekey yes
|
2021-02-23 12:58:29 -08:00
|
|
|
'';
|
2021-03-25 09:40:45 -07:00
|
|
|
};
|
|
|
|
|
|
2021-03-17 12:45:40 -07:00
|
|
|
fail2ban = {
|
|
|
|
|
enable = true;
|
|
|
|
|
bantime-increment.enable = true;
|
|
|
|
|
};
|
2021-03-10 17:21:49 -08:00
|
|
|
|
2021-02-23 12:58:29 -08:00
|
|
|
xserver = {
|
|
|
|
|
layout = "us";
|
|
|
|
|
xkbVariant = "dvp";
|
|
|
|
|
xkbOptions = "ctrl:nocaps";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# pcscd.enable = true;
|
|
|
|
|
# udev.packages = with pkgs; [ yubikey-personalization ];
|
|
|
|
|
};
|
|
|
|
|
|
2021-03-25 09:40:45 -07:00
|
|
|
networking.firewall = {
|
|
|
|
|
# Allow mosh connections if the firewall is enabled
|
|
|
|
|
allowedUDPPortRanges = [{
|
|
|
|
|
from = 60000;
|
|
|
|
|
to = 60100;
|
|
|
|
|
}];
|
|
|
|
|
};
|
|
|
|
|
|
2021-02-23 12:58:29 -08:00
|
|
|
console.useXkbConfig = true;
|
|
|
|
|
|
|
|
|
|
i18n.defaultLocale = "en_US.UTF-8";
|
|
|
|
|
|
|
|
|
|
programs = {
|
|
|
|
|
mosh.enable = true;
|
|
|
|
|
|
|
|
|
|
bash.enableCompletion = true;
|
|
|
|
|
|
|
|
|
|
fish.enable = true;
|
|
|
|
|
|
|
|
|
|
gnupg.agent = {
|
|
|
|
|
enable = true;
|
2021-04-10 13:25:43 -07:00
|
|
|
# enableSSHSupport = true;
|
2021-02-23 12:58:29 -08:00
|
|
|
# pinentryFlavor = if cfg.enable-gui then "gnome3" else "curses";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
ssh = {
|
2021-04-10 13:25:43 -07:00
|
|
|
startAgent = true;
|
2021-02-23 12:58:29 -08:00
|
|
|
|
|
|
|
|
package = pkgs.openssh_gssapi;
|
|
|
|
|
|
|
|
|
|
extraConfig = ''
|
|
|
|
|
GSSAPIAuthentication yes
|
|
|
|
|
GSSAPIDelegateCredentials yes
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
security.pam = {
|
|
|
|
|
enableSSHAgentAuth = true;
|
|
|
|
|
|
|
|
|
|
services = {
|
|
|
|
|
sshd = {
|
|
|
|
|
makeHomeDir = true;
|
|
|
|
|
sshAgentAuth = true;
|
|
|
|
|
# This isn't supposed to ask for a code unless ~/.google_authenticator exists...but it does
|
|
|
|
|
# googleAuthenticator.enable = true;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
services.dbus.socketActivated = true;
|
|
|
|
|
}
|
