71 lines
1.7 KiB
Nix
Executable file
71 lines
1.7 KiB
Nix
Executable file
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}: let
|
|
hostKeyPath = "/etc/ssh/everest_host_key";
|
|
notify =
|
|
pkgs.writers.writePython3 "send-discord-login-notification" {
|
|
libraries = [pkgs.python3Packages.requests];
|
|
} ''
|
|
import requests
|
|
import os
|
|
|
|
if os.environ["PAM_TYPE"] != "open_session":
|
|
raise SystemExit
|
|
secretPath = "${config.sops.secrets.discordWebhook.path}"
|
|
|
|
webhookUrl: str
|
|
|
|
with open(secretPath) as file:
|
|
webhookUrl = file.read().strip()
|
|
|
|
user = os.environ["PAM_USER"]
|
|
rhost = os.environ["PAM_RHOST"]
|
|
|
|
data = {
|
|
"username": "SSH Login",
|
|
"content": user + " logged in from " + rhost
|
|
}
|
|
|
|
result = requests.post(webhookUrl, json=data)
|
|
'';
|
|
in {
|
|
sops.secrets = {
|
|
discordWebhook = {};
|
|
"hostKey/public".path = "${hostKeyPath}.pub";
|
|
"hostKey/private".path = hostKeyPath;
|
|
};
|
|
|
|
users.users.toast.openssh.authorizedKeys.keys = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEas0RvecJpUA1rG87fHunxDb4O0Q7bQG7X8h3hZnrsE Everest access key"
|
|
];
|
|
|
|
services.openssh = {
|
|
enable = true;
|
|
settings = {
|
|
UseDns = true;
|
|
PermitRootLogin = "no";
|
|
PasswordAuthentication = false;
|
|
AllowUsers = ["toast"];
|
|
};
|
|
# The forgejo module is fucky so I can't set this with the nixos option
|
|
# https://github.com/NixOS/nixpkgs/issues/306205
|
|
extraConfig = ''
|
|
AcceptEnv COLORTERM
|
|
'';
|
|
hostKeys = [
|
|
{
|
|
path = hostKeyPath;
|
|
type = "ed25519";
|
|
comment = "Everest host key";
|
|
}
|
|
];
|
|
startWhenNeeded = true;
|
|
};
|
|
|
|
security.pam.services.sshd.text = lib.mkDefault (lib.mkAfter ''
|
|
session optional pam_exec.so debug stdout ${notify}
|
|
'');
|
|
}
|