From d51a8177d6f83f06014ffe8d0dfabeb143c4c7e6 Mon Sep 17 00:00:00 2001
From: chn <chn@chn.moe>
Date: Thu, 14 Sep 2023 18:34:27 +0800
Subject: [PATCH] sshd: allow password authentication

---
 flake.nix                               |  2 +-
 modules/services/default.nix            | 20 +-------------
 modules/services/{ca.pub => ssh-ca.pub} |  0
 modules/services/sshd.nix               | 35 +++++++++++++++++++++++++
 4 files changed, 37 insertions(+), 20 deletions(-)
 rename modules/services/{ca.pub => ssh-ca.pub} (100%)
 create mode 100644 modules/services/sshd.nix

diff --git a/flake.nix b/flake.nix
index d5bb49dd..9539c35e 100644
--- a/flake.nix
+++ b/flake.nix
@@ -455,7 +455,7 @@
                     root.path = "/";
                   };
                 };
-                sshd.enable = true;
+                sshd = { enable = true; passwordAuthentication = true; };
                 xrayClient =
                 {
                   enable = true;
diff --git a/modules/services/default.nix b/modules/services/default.nix
index 917ffe62..3c16e3ba 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -16,6 +16,7 @@ inputs:
     ./groupshare.nix
     ./acme.nix
     ./samba.nix
+    ./sshd.nix
     # ./docker.nix
   ];
   options.nixos.services = let inherit (inputs.lib) mkOption types; in
@@ -27,7 +28,6 @@ inputs:
     };
     kmscon.enable = mkOption { type = types.bool; default = false; };
     fontconfig.enable = mkOption { type = types.bool; default = false; };
-    sshd.enable = mkOption { type = types.bool; default = false; };
     firewall.trustedInterfaces = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
     frpClient =
     {
@@ -131,24 +131,6 @@ inputs:
           };
         }
       )
-      (
-        mkIf services.sshd.enable
-        {
-          services.openssh =
-          {
-            enable = true;
-            settings =
-            {
-              X11Forwarding = true;
-              TrustedUserCAKeys = builtins.toString ./ca.pub;
-              ChallengeResponseAuthentication = false;
-              PasswordAuthentication = false;
-              KbdInteractiveAuthentication = false;
-              UsePAM = true;
-            };
-          };
-        }
-      )
       { networking.firewall.trustedInterfaces = services.firewall.trustedInterfaces; }
       (
         mkIf (services.frpClient.enable)
diff --git a/modules/services/ca.pub b/modules/services/ssh-ca.pub
similarity index 100%
rename from modules/services/ca.pub
rename to modules/services/ssh-ca.pub
diff --git a/modules/services/sshd.nix b/modules/services/sshd.nix
new file mode 100644
index 00000000..08dc8278
--- /dev/null
+++ b/modules/services/sshd.nix
@@ -0,0 +1,35 @@
+inputs:
+{
+  options.nixos.services.sshd = let inherit (inputs.lib) mkOption types; in
+  {
+    enable = mkOption { type = types.bool; default = false; };
+    passwordAuthentication = mkOption { type = types.bool; default = false; };
+  };
+  config =
+    let
+      inherit (inputs.lib) mkIf;
+      inherit (inputs.config.nixos.services) sshd;
+    in mkIf sshd.enable
+    {
+      services.openssh =
+      {
+        enable = true;
+        settings =
+        {
+          X11Forwarding = true;
+          TrustedUserCAKeys = "${./ssh-ca.pub}";
+          ChallengeResponseAuthentication = false;
+          PasswordAuthentication = sshd.passwordAuthentication;
+          KbdInteractiveAuthentication = false;
+          UsePAM = true;
+        };
+        extraConfig =
+        ''
+          Match User root
+            PasswordAuthentication no
+          Match User chn
+            PasswordAuthentication no
+        '';
+      };
+    };
+}