2014-04-14 14:26:48 +00:00
|
|
|
{ config, lib, pkgs, ... }:
|
2008-03-05 16:03:09 +00:00
|
|
|
|
2014-04-14 14:26:48 +00:00
|
|
|
with lib;
|
2009-10-12 16:36:19 +00:00
|
|
|
|
2011-09-14 18:20:50 +00:00
|
|
|
let
|
2009-10-12 16:36:19 +00:00
|
|
|
|
|
|
|
inherit (pkgs) lsh;
|
|
|
|
|
|
|
|
cfg = config.services.lshd;
|
|
|
|
|
|
|
|
in
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
###### interface
|
2008-03-05 16:03:09 +00:00
|
|
|
|
2009-03-06 12:26:10 +00:00
|
|
|
options = {
|
2011-09-14 18:20:50 +00:00
|
|
|
|
2009-10-12 16:36:19 +00:00
|
|
|
services.lshd = {
|
|
|
|
|
|
|
|
enable = mkOption {
|
2020-04-20 18:05:26 +00:00
|
|
|
type = types.bool;
|
2009-10-12 16:36:19 +00:00
|
|
|
default = false;
|
2024-04-13 12:54:15 +00:00
|
|
|
description = ''
|
2009-10-12 16:36:19 +00:00
|
|
|
Whether to enable the GNU lshd SSH2 daemon, which allows
|
|
|
|
secure remote login.
|
|
|
|
'';
|
|
|
|
};
|
2009-03-06 12:26:10 +00:00
|
|
|
|
2009-10-12 16:36:19 +00:00
|
|
|
portNumber = mkOption {
|
|
|
|
default = 22;
|
2021-01-31 10:24:41 +00:00
|
|
|
type = types.port;
|
2024-04-13 12:54:15 +00:00
|
|
|
description = ''
|
2009-10-12 16:36:19 +00:00
|
|
|
The port on which to listen for connections.
|
|
|
|
'';
|
|
|
|
};
|
2009-03-06 12:26:10 +00:00
|
|
|
|
2009-10-12 16:36:19 +00:00
|
|
|
interfaces = mkOption {
|
|
|
|
default = [];
|
2021-01-31 10:24:41 +00:00
|
|
|
type = types.listOf types.str;
|
2024-04-13 12:54:15 +00:00
|
|
|
description = ''
|
2009-10-12 16:36:19 +00:00
|
|
|
List of network interfaces where listening for connections.
|
2023-01-21 10:06:46 +00:00
|
|
|
When providing the empty list, `[]`, lshd listens on all
|
2009-10-12 16:36:19 +00:00
|
|
|
network interfaces.
|
|
|
|
'';
|
|
|
|
example = [ "localhost" "1.2.3.4:443" ];
|
2009-03-06 12:26:10 +00:00
|
|
|
};
|
|
|
|
|
2009-10-12 16:36:19 +00:00
|
|
|
hostKey = mkOption {
|
|
|
|
default = "/etc/lsh/host-key";
|
2021-01-31 10:24:41 +00:00
|
|
|
type = types.str;
|
2024-04-13 12:54:15 +00:00
|
|
|
description = ''
|
2009-10-12 16:36:19 +00:00
|
|
|
Path to the server's private key. Note that this key must
|
|
|
|
have been created, e.g., using "lsh-keygen --server |
|
|
|
|
lsh-writekey --server", so that you can run lshd.
|
|
|
|
'';
|
|
|
|
};
|
2009-03-06 12:26:10 +00:00
|
|
|
|
2009-10-12 16:36:19 +00:00
|
|
|
syslog = mkOption {
|
2020-04-27 07:04:07 +00:00
|
|
|
type = types.bool;
|
2009-10-12 16:36:19 +00:00
|
|
|
default = true;
|
2024-04-13 12:54:15 +00:00
|
|
|
description = "Whether to enable syslog output.";
|
2009-10-12 16:36:19 +00:00
|
|
|
};
|
2009-03-06 12:26:10 +00:00
|
|
|
|
2009-10-12 16:36:19 +00:00
|
|
|
passwordAuthentication = mkOption {
|
2020-04-27 07:04:07 +00:00
|
|
|
type = types.bool;
|
2009-10-12 16:36:19 +00:00
|
|
|
default = true;
|
2024-04-13 12:54:15 +00:00
|
|
|
description = "Whether to enable password authentication.";
|
2009-10-12 16:36:19 +00:00
|
|
|
};
|
2009-03-06 12:26:10 +00:00
|
|
|
|
2009-10-12 16:36:19 +00:00
|
|
|
publicKeyAuthentication = mkOption {
|
2020-04-27 07:04:07 +00:00
|
|
|
type = types.bool;
|
2009-10-12 16:36:19 +00:00
|
|
|
default = true;
|
2024-04-13 12:54:15 +00:00
|
|
|
description = "Whether to enable public key authentication.";
|
2009-10-12 16:36:19 +00:00
|
|
|
};
|
2009-03-06 12:26:10 +00:00
|
|
|
|
2009-10-12 16:36:19 +00:00
|
|
|
rootLogin = mkOption {
|
2020-04-27 07:04:07 +00:00
|
|
|
type = types.bool;
|
2009-10-12 16:36:19 +00:00
|
|
|
default = false;
|
2024-04-13 12:54:15 +00:00
|
|
|
description = "Whether to enable remote root login.";
|
2009-10-12 16:36:19 +00:00
|
|
|
};
|
2009-03-06 12:26:10 +00:00
|
|
|
|
2009-10-12 16:36:19 +00:00
|
|
|
loginShell = mkOption {
|
|
|
|
default = null;
|
2021-01-31 10:24:41 +00:00
|
|
|
type = types.nullOr types.str;
|
2024-04-13 12:54:15 +00:00
|
|
|
description = ''
|
2009-10-12 16:36:19 +00:00
|
|
|
If non-null, override the default login shell with the
|
|
|
|
specified value.
|
|
|
|
'';
|
2011-10-30 15:19:58 +00:00
|
|
|
example = "/nix/store/xyz-bash-10.0/bin/bash10";
|
2009-10-12 16:36:19 +00:00
|
|
|
};
|
2009-03-06 12:26:10 +00:00
|
|
|
|
2009-10-12 16:36:19 +00:00
|
|
|
srpKeyExchange = mkOption {
|
|
|
|
default = false;
|
2021-01-31 10:24:41 +00:00
|
|
|
type = types.bool;
|
2024-04-13 12:54:15 +00:00
|
|
|
description = ''
|
2009-10-12 16:36:19 +00:00
|
|
|
Whether to enable SRP key exchange and user authentication.
|
|
|
|
'';
|
|
|
|
};
|
2009-03-06 12:26:10 +00:00
|
|
|
|
2009-10-12 16:36:19 +00:00
|
|
|
tcpForwarding = mkOption {
|
2020-04-27 07:04:07 +00:00
|
|
|
type = types.bool;
|
2009-10-12 16:36:19 +00:00
|
|
|
default = true;
|
2024-04-13 12:54:15 +00:00
|
|
|
description = "Whether to enable TCP/IP forwarding.";
|
2009-10-12 16:36:19 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
x11Forwarding = mkOption {
|
2020-04-27 07:04:07 +00:00
|
|
|
type = types.bool;
|
2009-10-12 16:36:19 +00:00
|
|
|
default = true;
|
2024-04-13 12:54:15 +00:00
|
|
|
description = "Whether to enable X11 forwarding.";
|
2009-10-12 16:36:19 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
subsystems = mkOption {
|
2021-01-31 10:24:41 +00:00
|
|
|
type = types.listOf types.path;
|
2024-04-13 12:54:15 +00:00
|
|
|
description = ''
|
2009-10-12 16:36:19 +00:00
|
|
|
List of subsystem-path pairs, where the head of the pair
|
|
|
|
denotes the subsystem name, and the tail denotes the path to
|
|
|
|
an executable implementing it.
|
|
|
|
'';
|
|
|
|
};
|
2011-09-14 18:20:50 +00:00
|
|
|
|
2009-10-12 16:36:19 +00:00
|
|
|
};
|
2009-03-06 12:26:10 +00:00
|
|
|
|
2009-10-12 16:36:19 +00:00
|
|
|
};
|
2009-03-06 12:26:10 +00:00
|
|
|
|
|
|
|
|
2009-10-12 16:36:19 +00:00
|
|
|
###### implementation
|
|
|
|
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
|
2014-08-09 15:18:54 +00:00
|
|
|
services.lshd.subsystems = [ ["sftp" "${pkgs.lsh}/sbin/sftp-server"] ];
|
|
|
|
|
2016-01-06 06:50:18 +00:00
|
|
|
systemd.services.lshd = {
|
|
|
|
description = "GNU lshd SSH2 daemon";
|
|
|
|
|
2016-09-12 14:39:11 +00:00
|
|
|
after = [ "network.target" ];
|
2016-01-06 06:50:18 +00:00
|
|
|
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
|
|
|
|
environment = {
|
|
|
|
LD_LIBRARY_PATH = config.system.nssModules.path;
|
2009-10-12 16:36:19 +00:00
|
|
|
};
|
2011-09-14 18:20:50 +00:00
|
|
|
|
2016-01-06 06:50:18 +00:00
|
|
|
preStart = ''
|
|
|
|
test -d /etc/lsh || mkdir -m 0755 -p /etc/lsh
|
|
|
|
test -d /var/spool/lsh || mkdir -m 0755 -p /var/spool/lsh
|
|
|
|
|
|
|
|
if ! test -f /var/spool/lsh/yarrow-seed-file
|
|
|
|
then
|
|
|
|
# XXX: It would be nice to provide feedback to the
|
|
|
|
# user when this fails, so that they can retry it
|
|
|
|
# manually.
|
|
|
|
${lsh}/bin/lsh-make-seed --sloppy \
|
|
|
|
-o /var/spool/lsh/yarrow-seed-file
|
|
|
|
fi
|
|
|
|
|
|
|
|
if ! test -f "${cfg.hostKey}"
|
|
|
|
then
|
|
|
|
${lsh}/bin/lsh-keygen --server | \
|
|
|
|
${lsh}/bin/lsh-writekey --server -o "${cfg.hostKey}"
|
|
|
|
fi
|
|
|
|
'';
|
|
|
|
|
|
|
|
script = with cfg; ''
|
|
|
|
${lsh}/sbin/lshd --daemonic \
|
|
|
|
--password-helper="${lsh}/sbin/lsh-pam-checkpw" \
|
|
|
|
-p ${toString portNumber} \
|
2023-06-24 18:19:19 +00:00
|
|
|
${optionalString (interfaces != []) (concatStrings (map (i: "--interface=\"${i}\"") interfaces))} \
|
2016-01-06 06:50:18 +00:00
|
|
|
-h "${hostKey}" \
|
2023-03-19 20:44:31 +00:00
|
|
|
${optionalString (!syslog) "--no-syslog" } \
|
2016-01-06 06:50:18 +00:00
|
|
|
${if passwordAuthentication then "--password" else "--no-password" } \
|
|
|
|
${if publicKeyAuthentication then "--publickey" else "--no-publickey" } \
|
|
|
|
${if rootLogin then "--root-login" else "--no-root-login" } \
|
2023-03-19 20:44:31 +00:00
|
|
|
${optionalString (loginShell != null) "--login-shell=\"${loginShell}\"" } \
|
2016-01-06 06:50:18 +00:00
|
|
|
${if srpKeyExchange then "--srp-keyexchange" else "--no-srp-keyexchange" } \
|
|
|
|
${if !tcpForwarding then "--no-tcpip-forward" else "--tcpip-forward"} \
|
|
|
|
${if x11Forwarding then "--x11-forward" else "--no-x11-forward" } \
|
|
|
|
--subsystems=${concatStringsSep ","
|
|
|
|
(map (pair: (head pair) + "=" +
|
|
|
|
(head (tail pair)))
|
|
|
|
subsystems)}
|
|
|
|
'';
|
|
|
|
};
|
2013-10-15 12:47:51 +00:00
|
|
|
|
2016-01-06 06:50:18 +00:00
|
|
|
security.pam.services.lshd = {};
|
2009-03-06 12:26:10 +00:00
|
|
|
};
|
2008-03-05 16:03:09 +00:00
|
|
|
}
|