mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00
Code Activity

feat: allow SFTP to samba for scanners/other network devices

Browse source
This commit is contained in:
oddlama 2024-01-12 15:55:41 +01:00
parent 4241f53f66
commit b23d22ff18
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
2 changed files with 44 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

42
hosts/sire/guests/samba.nix
View file

@ -11,6 +11,37 @@ in {
mode = "600"; mode = "600";
}; };
services.openssh = {
# You really have to hate them. Thanks Brother ADS-4300N.
settings = {
Macs = ["hmac-sha2-512"];
HostkeyAlgorithms = "+ssh-rsa";
PubkeyAcceptedAlgorithms = "+ssh-rsa";
};
# We need an RSA key for network attached printers and scanners
# that fucking can't be bothered to support sensible stuff
hostKeys = [
{
bits = 4096;
path = "/etc/ssh/ssh_host_rsa_key";
type = "rsa";
}
];
# Allow SFTP for scanner in /shares/groups/scanner
extraConfig = ''
Match User scanner
ForceCommand internal-sftp
AllowTcpForwarding no
PermitTunnel no
'';
};
environment.persistence."/persist".files = [
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
];
fileSystems."/storage".neededForBoot = true; fileSystems."/storage".neededForBoot = true;
environment.persistence."/storage" = { environment.persistence."/storage" = {
hideMounts = true; hideMounts = true;
@ -133,9 +164,18 @@ in {
autoSubUidGidRange = false; autoSubUidGidRange = false;
}; };
in in
lib.mkMerge [
(
{} {}
// lib.mapAttrs (name: cfg: mkUser name cfg.id cfg.groups) smbUsers // lib.mapAttrs (name: cfg: mkUser name cfg.id cfg.groups) smbUsers
// lib.mapAttrs (name: cfg: mkUser name cfg.id []) smbGroups; // lib.mapAttrs (name: cfg: mkUser name cfg.id []) smbGroups
)
{
scanner.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJcWkqM2gXM9MJoKggCMpXLBJvgPP0fuoIO3UNy4h4uFzyDqMKAADjaJHCqyIQPq/s5vATVmuu4GQyajkc7Y3fBg/2rvAACzFx/2ufK2M4dkdDcYOX6kyNZL7XiJRmLfUR2cqda3P3bQxapkdfIOWfPQQJUAnYlVvUaIShoBxYw5HXRTr2jR5UAklfIRWZOmx07WKC6dZG5MIm1Luun5KgvqQmzQ9ErL5tz/Oi5pPdK30kdkS5WdeWD6KwL78Ff4KfC0DVTO0zb/C7WyKk4ZLu+UKCLHXDTzE4lhBAu6mSUfJ5nQhmdLdKg6Gvh1St/vRcsDJOZqEFBVn35/oK974l root@ADS_4300N_BRN000EC691D285"
];
}
];
users.groups = lib.mapAttrs (_: cfg: {gid = cfg.id;}) (smbUsers // smbGroups); users.groups = lib.mapAttrs (_: cfg: {gid = cfg.id;}) (smbUsers // smbGroups);
} }

1
modules/config/ssh.nix
View file

@ -5,6 +5,7 @@
# because we rely on ssh key generation for agenix # because we rely on ssh key generation for agenix
startWhenNeeded = lib.mkForce false; startWhenNeeded = lib.mkForce false;
authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"]; authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
sftpServerExecutable = "internal-sftp";
settings = { settings = {
PasswordAuthentication = false; PasswordAuthentication = false;
KbdInteractiveAuthentication = false; KbdInteractiveAuthentication = false;