From 7cd2ff2679b688e8fa0c98bc9ecf1d99602c0421 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Fri, 30 Jun 2017 23:49:05 +0200
Subject: ma 2fa: init and enable for gum

---
 makefu/1systems/gum.nix       |  3 +++
 makefu/2configs/sshd-totp.nix | 18 ++++++++++++++++++
 2 files changed, 21 insertions(+)
 create mode 100644 makefu/2configs/sshd-totp.nix

(limited to 'makefu')

diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix
index 519313f5..6e57d140 100644
--- a/makefu/1systems/gum.nix
+++ b/makefu/1systems/gum.nix
@@ -26,6 +26,9 @@ in {
       ../2configs/tinc/retiolum.nix
       ../2configs/urlwatch.nix
 
+      # Security
+      ../2configs/sshd-totp.nix
+
       # Tools
       ../2configs/tools/core.nix
       ../2configs/tools/dev.nix
diff --git a/makefu/2configs/sshd-totp.nix b/makefu/2configs/sshd-totp.nix
new file mode 100644
index 00000000..f9984e24
--- /dev/null
+++ b/makefu/2configs/sshd-totp.nix
@@ -0,0 +1,18 @@
+{ pkgs, ... }:
+# Enables second factor for ssh password login
+
+## Usage:
+#  gen-oath-safe <username> totp
+## scan the qrcode with google authenticator (or FreeOTP)
+## copy last line into secrets/<host>/users.oath (chmod 700)
+{
+  security.pam.oath = {
+    # enabling it will make it a requisite of `all` services
+    # enable = true;
+    digits = 6;
+    # TODO assert existing
+    usersFile = (toString <secrets>) + "/users.oath";
+  };
+  # I want TFA only active for sshd with password-auth
+  security.pam.services.sshd.oathAuth = true;
+}
-- 
cgit v1.2.3