ctucx.git: nixfiles

ctucx' nixfiles

commit af94ba8852df45770289d68e52b316dd4019e773
parent 45b1f3413913089aa7c4cbe985a71ae0d8dd6dbc
Author: Leah (ctucx) <leah@ctu.cx>
Date: Wed, 29 Jun 2022 17:47:18 +0200

machines/lollo: configure openssh so that the weird scanner can connect

2 files changed, 42 insertions(+), 0 deletions(-)
M
machines/lollo/configuration.nix
|
1
+
A
machines/lollo/scanner-sftp.nix
|
41
+++++++++++++++++++++++++++++++++++++++++
diff --git a/machines/lollo/configuration.nix b/machines/lollo/configuration.nix
@@ -20,6 +20,7 @@
     ./syncthing.nix
     ./restic-vnstat.nix
     ./gotosocial.nix
+    ./scanner-sftp.nix
   ];
 
   age.secrets.restic-server-desastro.file = ../../secrets/restic-server/desastro.age;

diff --git a/machines/lollo/scanner-sftp.nix b/machines/lollo/scanner-sftp.nix
@@ -0,0 +1,41 @@
+{ pkgs, ... }:
+
+{
+  users.users.ads1700w = {
+    isNormalUser = true;
+    createHome   = false;
+    shell        = "${pkgs.coreutils}/bin/false";
+    homeMode     = "770";
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDb2eZ2ymt+Zsf0eTlmjW2jPdS013lbde1+EGkgu6bz9lVTR8aawshF2HcoaWp5a5dJr3SKyihDM8hbWSYB3qyTHihNGyCArqSvAtZRw301ailRVHGqiwUITTfcg1533TtmWvlJZgOIFM1VvSAfdueDRRRzbygmn749fS9nhUTDzLtjqX5LvhpqhzsD+eOqPrV6Ne8E1e42JxQb5AJPY1gj9mk6eAarvtEHQYEe+/hp9ERjtCdN5DfuOJnqfaKS0ytPj/NbQskbX/TMgeUVio11iC2NbXsnAtzMmtbLX4mxlDQrR6aZmU/rHQ4aeJqI/Tj2rrF46icri7s0tnnit1OjT5PSxXgifcOtn06qoxYZMT1x+Dyrt40vNkGmxmxCnirm8B+6MKXgd/Ys+7tnOm1ht8TmLm96x6KdOiF3Zq/tMxhPAzp8JriTKSo7k7U9XxStFghTbhhBNc7OX89ZbpalLEnvbQiz87gZxhcx8cLvzIjslOHmZOSWC5Pgr4wwuj3Akq63i4ya6/BzM6v4UoBuDAB6fz3NHKL4R5X20la7Pvt7OBysQkGClWfj6ipMR1bFE2mfYtlMioXNgTjC+NCpEl1+81MH7dv2565Hk8CLV8FMxv6GujbAZGjjcM47lpWM1cBQvpBMUA/lLkyiCPK0YxNWAB7Co+jYDl6CR0Ubew== cardno:6445161"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDP/DrM0GxPUf6nSAb/p4vXQQF1uZ8y7Ah/A5kKpBCE/WEuGp9TYFW/Iy7/Y7vN2jKoaJkDYTrjjYIJA0kY1v5KUfdBJDK0aR5paGfqoHau2ee2GgOdInhrmlrUvOR8jCj0kwCHZKgEdmkH6Tj4yRYw3GGjuOZbA/r2VECSk/4+bY7JyrdYbURrnVNA9Lar9YOoA5PBxTKXEsk4OkXny0XVTlyan5K2335O/qJfViyjwwdoWUJwCJ/FtJD6sSO6uEYe6X8DT3iHPnNP5So3CWUxwKfgOWCS6g43ysSpLJO68jyjNJjhVqAvyjCfOlCceitDGTZHay5LLdHe+jz+U9aT root@BR5CF370B9359C"
+    ];
+  };
+
+  services.openssh = {
+    macs = [
+      "hmac-sha2-512-etm@openssh.com" "hmac-sha2-256-etm@openssh.com" "umac-128-etm@openssh.com" "hmac-sha2-512" "hmac-sha2-256" "umac-128@openssh.com"
+      # needed by scanner
+      "hmac-sha1"
+    ];
+
+    kexAlgorithms = [
+      "sntrup761x25519-sha512@openssh.com" "curve25519-sha256" "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256"
+      # needed by scanner
+      "diffie-hellman-group-exchange-sha1"
+    ];
+
+    extraConfig = ''
+      PubkeyAcceptedKeyTypes=+ssh-rsa
+      HostKeyAlgorithms=+ssh-rsa
+
+      Match User ads1700w
+        ChrootDirectory /ads1700w
+        X11Forwarding no
+        AllowAgentForwarding no
+        AllowTcpForwarding no
+        PermitTunnel no
+        ForceCommand internal-sftp
+    '';
+  };
+}