nixos-config/nixos/components/network/sshd/default.nix

103 lines
2.6 KiB
Nix
Raw Normal View History

2022-10-13 10:19:23 +02:00
{ pkgs, config, lib, ... }:
with lib;
with types;
let
defaultRootKeyFiles = [ (toString ../../../assets/ssh/palo_rsa.pub) ];
2023-05-28 21:24:20 +02:00
cfg = config.components.network.sshd;
2024-04-12 22:23:06 +02:00
2024-04-16 17:19:20 +02:00
# maybe ascii-image-converter is also nice here
2024-04-12 22:23:06 +02:00
sshBanner = pkgs.runCommand "ssh-banner"
{
nativeBuildInputs = [
(pkgs.boxes.overrideAttrs (old: rec {
version = "2.3.0";
src = pkgs.fetchFromGitHub {
owner = "ascii-boxes";
repo = "boxes";
rev = "v${version}";
sha256 = "sha256-/gc/5vDflmEwOtQbtLwRcchyr22rLQcWqs5GrwRxY70=";
};
nativeBuildInputs = old.nativeBuildInputs ++ [
pkgs.libunistring
pkgs.pcre2
pkgs.ncurses
];
installPhase = ''
install -Dm755 -t $out/bin out/boxes
install -Dm644 -t $out/share/boxes boxes-config
install -Dm644 -t $out/share/man/man1 doc/boxes.1
'';
}))
];
} ''
echo "${config.networking.hostName}" | boxes -d ansi -s 80x1 -a r > $out
'';
2022-10-13 10:19:23 +02:00
in
{
imports = [
./known-hosts-bootup.nix
./known-hosts-public.nix
];
2023-02-17 00:41:22 +01:00
options.components.network.sshd = {
2022-10-13 10:19:23 +02:00
enable = mkOption {
type = bool;
default = true;
};
rootKeyFiles = mkOption {
type = with types; listOf path;
default = [ ];
description = "keys to root login";
};
2024-04-12 22:23:06 +02:00
sshguard.enable = mkOption {
type = bool;
default = config.components.network.sshd.enable;
};
2022-10-13 10:19:23 +02:00
onlyTincAccess = mkOption {
type = bool;
default = false;
description = ''
make sure ssh is only available trough the tinc
'';
};
};
config = mkMerge [
(mkIf cfg.enable {
2024-04-12 22:23:06 +02:00
environment.systemPackages = [
pkgs.sshfs
pkgs.mosh
];
2023-05-28 21:24:20 +02:00
2022-10-13 10:19:23 +02:00
services.openssh = {
enable = true;
2023-06-29 10:08:09 +02:00
settings.X11Forwarding = false;
settings.PasswordAuthentication = false;
2022-10-13 10:19:23 +02:00
};
2023-06-01 11:44:02 +02:00
users.users.root.openssh.authorizedKeys.keyFiles = cfg.rootKeyFiles ++ defaultRootKeyFiles;
2022-10-13 10:19:23 +02:00
2024-05-29 20:16:04 +02:00
# todo enable again when I can it's possible to set the `-q` ssh option in clan
#services.openssh.banner = builtins.readFile sshBanner;
2022-10-13 10:19:23 +02:00
})
2024-04-12 22:23:06 +02:00
(mkIf cfg.sshguard.enable {
environment.systemPackages = [ pkgs.ipset ];
services.sshguard.enable = lib.mkDefault true;
2024-04-16 17:19:20 +02:00
})
2024-04-12 22:23:06 +02:00
2022-10-13 10:19:23 +02:00
(mkIf (cfg.onlyTincAccess && cfg.enable) {
networking.firewall.extraCommands = ''
iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0
'';
})
];
}