nixos-config/components/network/sshd/default.nix

{
  pkgs,
  config,
  lib,
  assets,
  ...
}:
with lib;
with types;
let
  cfg = config.components.network.sshd;

  # maybe ascii-image-converter is also nice here
  sshBanner = pkgs.runCommand "ssh-banner" { nativeBuildInputs = [ pkgs.boxes ]; } ''
    echo "${config.networking.hostName}" | boxes -d ansi -s 80x1 -a r > $out
  '';

in
{

  imports = [
    ./known-hosts-public.nix
    ./known-hosts-manual.nix
    ./known-hosts-zerotier.nix
  ];

  options.components.network.sshd = {
    enable = mkOption {
      type = bool;
      default = true;
    };
    onlyTincAccess = mkOption {
      type = bool;
      default = false;
      description = ''
        make sure ssh is only available trough the tinc
      '';
    };
  };

  config = mkMerge [

    (mkIf cfg.enable {

      environment.systemPackages = [
        pkgs.sshfs
        pkgs.mosh
      ];

      services.openssh = {
        enable = true;
        settings.X11Forwarding = false;
        settings.PasswordAuthentication = false;

        # We might want to remove this once, openssh is fixed everywhere:
        # Workaround for CVE-2024-6387 and CVE-2024-6409
        # https://github.com/NixOS/nixpkgs/pull/323753#issuecomment-2199762128
        # settings.LoginGraceTime = 0;
      };

      # todo enable again when I can it's possible to set the `-q` ssh option in clan
      #services.openssh.banner = builtins.readFile sshBanner;

    })

    (mkIf (cfg.onlyTincAccess && cfg.enable) {
      # fixme: this is not working
      networking.firewall.extraCommands = ''
        iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0
      '';
    })
  ];

}
nix fmt 2024-08-29 03:26:04 +02:00			`{`
			`pkgs,`
			`config,`
			`lib,`
			`assets,`
			`...`
			`}:`
migrate sshd to component.sshd 2022-10-13 10:19:23 +02:00			`with lib;`
			`with types;`
			`let`
adjustments 2023-05-28 21:24:20 +02:00			`cfg = config.components.network.sshd;`
refactor ssh daemon 2024-04-12 22:23:06 +02:00
add logseq properly 2024-04-16 17:19:20 +02:00			`# maybe ascii-image-converter is also nice here`
nix fmt 2024-08-29 03:26:04 +02:00			`sshBanner = pkgs.runCommand "ssh-banner" { nativeBuildInputs = [ pkgs.boxes ]; } ''`
refactor ssh daemon 2024-04-12 22:23:06 +02:00			`echo "${config.networking.hostName}" \| boxes -d ansi -s 80x1 -a r > $out`
			`'';`

migrate sshd to component.sshd 2022-10-13 10:19:23 +02:00			`in`
			`{`

			`imports = [`
			`./known-hosts-public.nix`
fix known hosts foo. 2024-06-10 17:24:21 +02:00			`./known-hosts-manual.nix`
			`./known-hosts-zerotier.nix`
migrate sshd to component.sshd 2022-10-13 10:19:23 +02:00			`];`

first cleanup of desktop stuff 2023-02-17 00:41:22 +01:00			`options.components.network.sshd = {`
migrate sshd to component.sshd 2022-10-13 10:19:23 +02:00			`enable = mkOption {`
			`type = bool;`
			`default = true;`
			`};`
			`onlyTincAccess = mkOption {`
			`type = bool;`
			`default = false;`
			`description = ''`
			`make sure ssh is only available trough the tinc`
			`'';`
			`};`
			`};`

			`config = mkMerge [`

			`(mkIf cfg.enable {`

refactor ssh daemon 2024-04-12 22:23:06 +02:00			`environment.systemPackages = [`
			`pkgs.sshfs`
			`pkgs.mosh`
			`];`
adjustments 2023-05-28 21:24:20 +02:00
migrate sshd to component.sshd 2022-10-13 10:19:23 +02:00			`services.openssh = {`
			`enable = true;`
cream: 22.11 -> 23.05 2023-06-29 10:08:09 +02:00			`settings.X11Forwarding = false;`
			`settings.PasswordAuthentication = false;`
fix for CVE-2024-6409 2024-07-09 09:48:03 +02:00
			`# We might want to remove this once, openssh is fixed everywhere:`
			`# Workaround for CVE-2024-6387 and CVE-2024-6409`
			`# https://github.com/NixOS/nixpkgs/pull/323753#issuecomment-2199762128`
working on using new created cache 2024-07-20 13:56:03 +02:00			`# settings.LoginGraceTime = 0;`
migrate sshd to component.sshd 2022-10-13 10:19:23 +02:00			`};`

use zerotier with clan 2024-05-29 20:16:04 +02:00			# todo enable again when I can it's possible to set the `-q` ssh option in clan
			`#services.openssh.banner = builtins.readFile sshBanner;`
migrate sshd to component.sshd 2022-10-13 10:19:23 +02:00
			`})`

			`(mkIf (cfg.onlyTincAccess && cfg.enable) {`
:lock: use exclusive ssh key for chungus 2024-10-19 08:32:03 +02:00			`# fixme: this is not working`
migrate sshd to component.sshd 2022-10-13 10:19:23 +02:00			`networking.firewall.extraCommands = ''`
			`iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0`
			`'';`
			`})`
			`];`

			`}`