ctucx.git: nixfiles

ctucx' nixfiles

path: /machines/briefkasten/scanner-sftp.nix 2.28 KB | plain
1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 
26 
27 
28 
29 
30 
31 
32 
33 
34 
35 
36 
37 
38 
39 
40 
41 
42 
43 
44 
45 
46 
{ pkgs, ... }:

{

  # /ads1700w has to be owned by root:root, it's subdirectories by ads1700w user
  environment.persistence."/nix/persist".directories = [ "/ads1700w" ];

  users.users.ads1700w = {
    isNormalUser = true;
    createHome   = false;
    shell        = "${pkgs.coreutils}/bin/false";
    homeMode     = "770";
    openssh.authorizedKeys.keys = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDb2eZ2ymt+Zsf0eTlmjW2jPdS013lbde1+EGkgu6bz9lVTR8aawshF2HcoaWp5a5dJr3SKyihDM8hbWSYB3qyTHihNGyCArqSvAtZRw301ailRVHGqiwUITTfcg1533TtmWvlJZgOIFM1VvSAfdueDRRRzbygmn749fS9nhUTDzLtjqX5LvhpqhzsD+eOqPrV6Ne8E1e42JxQb5AJPY1gj9mk6eAarvtEHQYEe+/hp9ERjtCdN5DfuOJnqfaKS0ytPj/NbQskbX/TMgeUVio11iC2NbXsnAtzMmtbLX4mxlDQrR6aZmU/rHQ4aeJqI/Tj2rrF46icri7s0tnnit1OjT5PSxXgifcOtn06qoxYZMT1x+Dyrt40vNkGmxmxCnirm8B+6MKXgd/Ys+7tnOm1ht8TmLm96x6KdOiF3Zq/tMxhPAzp8JriTKSo7k7U9XxStFghTbhhBNc7OX89ZbpalLEnvbQiz87gZxhcx8cLvzIjslOHmZOSWC5Pgr4wwuj3Akq63i4ya6/BzM6v4UoBuDAB6fz3NHKL4R5X20la7Pvt7OBysQkGClWfj6ipMR1bFE2mfYtlMioXNgTjC+NCpEl1+81MH7dv2565Hk8CLV8FMxv6GujbAZGjjcM47lpWM1cBQvpBMUA/lLkyiCPK0YxNWAB7Co+jYDl6CR0Ubew== cardno:6445161"
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDP/DrM0GxPUf6nSAb/p4vXQQF1uZ8y7Ah/A5kKpBCE/WEuGp9TYFW/Iy7/Y7vN2jKoaJkDYTrjjYIJA0kY1v5KUfdBJDK0aR5paGfqoHau2ee2GgOdInhrmlrUvOR8jCj0kwCHZKgEdmkH6Tj4yRYw3GGjuOZbA/r2VECSk/4+bY7JyrdYbURrnVNA9Lar9YOoA5PBxTKXEsk4OkXny0XVTlyan5K2335O/qJfViyjwwdoWUJwCJ/FtJD6sSO6uEYe6X8DT3iHPnNP5So3CWUxwKfgOWCS6g43ysSpLJO68jyjNJjhVqAvyjCfOlCceitDGTZHay5LLdHe+jz+U9aT root@BR5CF370B9359C"
    ];
  };

  services.openssh = {
    settings.Macs = [
      "hmac-sha2-512-etm@openssh.com" "hmac-sha2-256-etm@openssh.com" "umac-128-etm@openssh.com" "hmac-sha2-512" "hmac-sha2-256" "umac-128@openssh.com"
      # needed by scanner
      "hmac-sha1"
    ];

    settings.KexAlgorithms = [
      "sntrup761x25519-sha512@openssh.com" "curve25519-sha256" "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256"
      # needed by scanner
      "diffie-hellman-group-exchange-sha1"
    ];

    extraConfig = ''
      PubkeyAcceptedKeyTypes=+ssh-rsa
      HostKeyAlgorithms=+ssh-rsa

      Match User ads1700w
        ChrootDirectory /ads1700w
        X11Forwarding no
        AllowAgentForwarding no
        AllowTcpForwarding no
        PermitTunnel no
        ForceCommand internal-sftp
    '';
  };

}