From 7840003065e95dca1b109143918666e4421a782c Mon Sep 17 00:00:00 2001
From: Spencer Heywood <github@heywoodlh.io>
Date: Sun, 13 Oct 2024 18:37:35 -0600
Subject: [PATCH] support duo mfa on nixos servers

---
 home/base.nix                      | 13 +++++++++++++
 nixos/roles/remote-access/sshd.nix | 13 +++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/home/base.nix b/home/base.nix
index c1939fd..e77f8b6 100644
--- a/home/base.nix
+++ b/home/base.nix
@@ -118,6 +118,18 @@ let
       ssh heywoodlh@$host "sudo cp /root/tarsnap.key /home/heywoodlh/tarsnap.key; sudo chown -R heywoodlh /home/heywoodlh/tarsnap.key" && scp heywoodlh@$host:/home/heywoodlh/tarsnap.key $host && ssh heywoodlh@$host "rm /home/heywoodlh/tarsnap.key" && op-wrapper.sh item edit fp5jsqodjv3gzlwtlgojays7qe "$host[file]=$host" && rm $host
     done
   '';
+  duo-key-setup = pkgs.writeShellScriptBin "duo-key-setup.sh" ''
+    hosts=("nix-drive" "nix-nvidia" "nixos-gaming" "nixos-mac-mini")
+    op item get 6sgj3s3755opehqifusmxxoehy --fields=unix-secret-key > /tmp/duo.key
+    chmod 600 /tmp/duo.key
+    for host in "''${hosts[@]}"
+    do
+      scp /tmp/duo.key heywoodlh@$host:/tmp/duo.key
+      scp /tmp/duo-integration.key heywoodlh@$host:/tmp/duo-integration.key
+      ssh heywoodlh@$host "sudo mv /tmp/duo.key /root/duo.key; sudo chown -R root:root /root/duo.key; sudo chmod 600 /root/duo.key"
+    done
+    rm /tmp/duo.key
+  '';
 in {
   home.stateVersion = "24.05";
   home.enableNixpkgsReleaseCheck = false;
@@ -187,6 +199,7 @@ in {
     otp
     op-backup
     incognito
+    duo-key-setup
   ];
 
   # Enable password-store
diff --git a/nixos/roles/remote-access/sshd.nix b/nixos/roles/remote-access/sshd.nix
index ef72eb8..da82e64 100644
--- a/nixos/roles/remote-access/sshd.nix
+++ b/nixos/roles/remote-access/sshd.nix
@@ -13,11 +13,24 @@ in {
     ];
   };
 
+  # Duo for MFA
+  security.duosec = {
+    pam.enable = true;
+    ssh.enable = true;
+    host = "api-cb5d3f60.duosecurity.com";
+    autopush = true;
+    secretKeyFile = "/root/duo.key";
+    integrationKey = "DI677924DNVV70FMD1DA";
+  };
+
   services.openssh = {
     enable = true;
     sftpServerExecutable = "internal-sftp";
     settings.PermitRootLogin = "prohibit-password";
     settings.PasswordAuthentication = false;
+    extraConfig = pkgs.lib.optionalString config.security.duosec.ssh.enable ''
+      ForceCommand /usr/bin/env login_duo
+    '';
   };
 
   environment.systemPackages = with pkgs; [