You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

82 lines
2.7 KiB
Nix

{ config, lib, ... }:
let
myOpts = config.x-banananetwork;
cfg = config.x-banananetwork.improvedDefaults;
in
{
options = {
x-banananetwork.improvedDefaults = {
autoSshAuthorizeRoot =
lib.mkEnableOption ''
automatically add option{x-banananetwork.sshPublicKeys} to roots authorized keys
and enable option{services.openssh.settings.PermitRootLogin}
if no other user has "wheel" power & SSH authorized keys defined.
Also, option{services.openssh.settings.PermitRootLogin} will be disabled
if this module does not require it.
''
// {
default = true;
};
};
};
config =
lib.mkIf
(lib.lists.all (x: x) [
cfg.enable
cfg.autoSshAuthorizeRoot
config.services.openssh.enable
])
(
let
inherit (lib.attrsets) attrValues filterAttrs;
inherit (lib.lists) any;
# variables
users = config.users.users;
nonRootUsers = lib.trivial.pipe users [
(filterAttrs (n: v: n != "root"))
(filterAttrs (n: v: v.isNormalUser))
];
wheelUsers = lib.trivial.pipe nonRootUsers [
(filterAttrs (n: v: builtins.elem "wheel" v.extraGroups))
];
areKeysSet = authKeysOpts: any (x: true) (authKeysOpts.keys ++ authKeysOpts.keyFiles);
isUserAuthed = userOpts: areKeysSet userOpts.openssh.authorizedKeys;
# used facts
isNonRootAuthed = any isUserAuthed (attrValues wheelUsers);
isRootAuthed = isUserAuthed users."root";
doRootAuth = !isNonRootAuthed;
otherUserExists = nonRootUsers != [ ];
# explicit installer check required because installer set ups user "nixos" for installation
isInstaller = config.system.nixos.variant_id == "installer";
in
{
# TODO mkOverride until https://github.com/NixOS/nixpkgs/pull/339786
services.openssh.settings.PermitRootLogin =
if isRootAuthed then lib.mkOverride 99 "prohibit-password" else lib.mkDefault "no";
users.users.root.openssh.authorizedKeys.keys = lib.mkIf doRootAuth (
lib.mkDefault myOpts.sshPublicKeys
);
# warn only if other users exist -> multi-user machine
# compared to "root"-only systems (e.g. installer, embedded systems)
warnings = lib.mkIf (doRootAuth && otherUserExists && !isInstaller) [
''
roots authorized keys were automatically configured
because no other user with wheel permission has authorized keys configured
''
];
}
);
}