sshd: allow password authentication

2024-10-23 06:18:52 +08:00 · 2023-09-14 18:34:27 +08:00 · 2023-09-14 18:34:27 +08:00 · d51a8177d6
commit d51a8177d6
parent 0eb722dab1
4 changed files with 37 additions and 20 deletions
--- a/flake.nix
+++ b/flake.nix
@ -455,7 +455,7 @@
                    root.path = "/";
                  };
                };
-                sshd.enable = true;
+                sshd = { enable = true; passwordAuthentication = true; };
                xrayClient =
                {
                  enable = true;
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@ -16,6 +16,7 @@ inputs:
    ./groupshare.nix
    ./acme.nix
    ./samba.nix
+    ./sshd.nix
    # ./docker.nix
  ];
  options.nixos.services = let inherit (inputs.lib) mkOption types; in
@ -27,7 +28,6 @@ inputs:
    };
    kmscon.enable = mkOption { type = types.bool; default = false; };
    fontconfig.enable = mkOption { type = types.bool; default = false; };
-    sshd.enable = mkOption { type = types.bool; default = false; };
    firewall.trustedInterfaces = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
    frpClient =
    {
@ -131,24 +131,6 @@ inputs:
          };
        }
      )
-      (
-        mkIf services.sshd.enable
-        {
-          services.openssh =
-          {
-            enable = true;
-            settings =
-            {
-              X11Forwarding = true;
-              TrustedUserCAKeys = builtins.toString ./ca.pub;
-              ChallengeResponseAuthentication = false;
-              PasswordAuthentication = false;
-              KbdInteractiveAuthentication = false;
-              UsePAM = true;
-            };
-          };
-        }
-      )
      { networking.firewall.trustedInterfaces = services.firewall.trustedInterfaces; }
      (
        mkIf (services.frpClient.enable)
--- a/modules/services/ssh-ca.pub
+++ b/modules/services/ssh-ca.pub
--- a/modules/services/sshd.nix
+++ b/modules/services/sshd.nix
@ -0,0 +1,35 @@
+inputs:
+{
+  options.nixos.services.sshd = let inherit (inputs.lib) mkOption types; in
+  {
+    enable = mkOption { type = types.bool; default = false; };
+    passwordAuthentication = mkOption { type = types.bool; default = false; };
+  };
+  config =
+    let
+      inherit (inputs.lib) mkIf;
+      inherit (inputs.config.nixos.services) sshd;
+    in mkIf sshd.enable
+    {
+      services.openssh =
+      {
+        enable = true;
+        settings =
+        {
+          X11Forwarding = true;
+          TrustedUserCAKeys = "${./ssh-ca.pub}";
+          ChallengeResponseAuthentication = false;
+          PasswordAuthentication = sshd.passwordAuthentication;
+          KbdInteractiveAuthentication = false;
+          UsePAM = true;
+        };
+        extraConfig =
+        ''
+          Match User root
+            PasswordAuthentication no
+          Match User chn
+            PasswordAuthentication no
+        '';
+      };
+    };
+}