From 1c4a5e175ae59eb14e986e8db26bc731959fa917 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sun, 16 Jul 2017 21:34:47 +0200
Subject: l mors: reactivate /bku

---
 lass/1systems/mors/config.nix | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'lass/1systems/mors')

diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index 45b3f740f..b93ead6db 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -110,11 +110,11 @@ with import <stockholm/lib>;
     "/boot" = {
       device = "/dev/sda2";
     };
-    #"/bku" = {
-    #  device = "/dev/mapper/pool-bku";
-    #  fsType = "btrfs";
-    #  options = ["defaults" "noatime" "ssd" "compress=lzo"];
-    #};
+    "/bku" = {
+      device = "/dev/mapper/pool-bku";
+      fsType = "btrfs";
+      options = ["defaults" "noatime" "ssd" "compress=lzo"];
+    };
     "/home" = {
       device = "/dev/mapper/pool-home";
       fsType = "btrfs";
-- 
cgit v1.3.1


From 5f743cbd32572a25e0df73b823cd866f1d80f01a Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Mon, 17 Jul 2017 15:11:54 +0200
Subject: lass: init otp-ssh

---
 lass/1systems/mors/config.nix |  1 +
 lass/2configs/otp-ssh.nix     | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+)
 create mode 100644 lass/2configs/otp-ssh.nix

(limited to 'lass/1systems/mors')

diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index b93ead6db..29dacf8dc 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -24,6 +24,7 @@ with import <stockholm/lib>;
     <stockholm/lass/2configs/ircd.nix>
     <stockholm/lass/2configs/logf.nix>
     <stockholm/lass/2configs/syncthing.nix>
+    <stockholm/lass/2configs/otp-ssh.nix>
     {
       #risk of rain port
       krebs.iptables.tables.filter.INPUT.rules = [
diff --git a/lass/2configs/otp-ssh.nix b/lass/2configs/otp-ssh.nix
new file mode 100644
index 000000000..f9984e245
--- /dev/null
+++ b/lass/2configs/otp-ssh.nix
@@ -0,0 +1,18 @@
+{ pkgs, ... }:
+# Enables second factor for ssh password login
+
+## Usage:
+#  gen-oath-safe <username> totp
+## scan the qrcode with google authenticator (or FreeOTP)
+## copy last line into secrets/<host>/users.oath (chmod 700)
+{
+  security.pam.oath = {
+    # enabling it will make it a requisite of `all` services
+    # enable = true;
+    digits = 6;
+    # TODO assert existing
+    usersFile = (toString <secrets>) + "/users.oath";
+  };
+  # I want TFA only active for sshd with password-auth
+  security.pam.services.sshd.oathAuth = true;
+}
-- 
cgit v1.3.1