2022-10-13 10:19:23 +02:00
|
|
|
{ pkgs, config, lib, ... }:
|
|
|
|
with lib;
|
|
|
|
with types;
|
|
|
|
let
|
|
|
|
defaultRootKeyFiles = [ (toString ../../../assets/ssh/palo_rsa.pub) ];
|
2023-05-28 21:24:20 +02:00
|
|
|
cfg = config.components.network.sshd;
|
2024-04-12 22:23:06 +02:00
|
|
|
|
2024-04-16 17:19:20 +02:00
|
|
|
# maybe ascii-image-converter is also nice here
|
2024-04-12 22:23:06 +02:00
|
|
|
sshBanner = pkgs.runCommand "ssh-banner"
|
|
|
|
{
|
|
|
|
nativeBuildInputs = [
|
|
|
|
(pkgs.boxes.overrideAttrs (old: rec {
|
|
|
|
version = "2.3.0";
|
|
|
|
src = pkgs.fetchFromGitHub {
|
|
|
|
owner = "ascii-boxes";
|
|
|
|
repo = "boxes";
|
|
|
|
rev = "v${version}";
|
|
|
|
sha256 = "sha256-/gc/5vDflmEwOtQbtLwRcchyr22rLQcWqs5GrwRxY70=";
|
|
|
|
};
|
|
|
|
nativeBuildInputs = old.nativeBuildInputs ++ [
|
|
|
|
pkgs.libunistring
|
|
|
|
pkgs.pcre2
|
|
|
|
pkgs.ncurses
|
|
|
|
];
|
|
|
|
installPhase = ''
|
|
|
|
install -Dm755 -t $out/bin out/boxes
|
|
|
|
install -Dm644 -t $out/share/boxes boxes-config
|
|
|
|
install -Dm644 -t $out/share/man/man1 doc/boxes.1
|
|
|
|
'';
|
|
|
|
}))
|
|
|
|
];
|
|
|
|
} ''
|
|
|
|
echo "${config.networking.hostName}" | boxes -d ansi -s 80x1 -a r > $out
|
|
|
|
'';
|
|
|
|
|
|
|
|
|
2022-10-13 10:19:23 +02:00
|
|
|
in
|
|
|
|
{
|
|
|
|
|
|
|
|
imports = [
|
|
|
|
./known-hosts-bootup.nix
|
|
|
|
./known-hosts-public.nix
|
|
|
|
];
|
|
|
|
|
2023-02-17 00:41:22 +01:00
|
|
|
options.components.network.sshd = {
|
2022-10-13 10:19:23 +02:00
|
|
|
enable = mkOption {
|
|
|
|
type = bool;
|
|
|
|
default = true;
|
|
|
|
};
|
|
|
|
rootKeyFiles = mkOption {
|
|
|
|
type = with types; listOf path;
|
|
|
|
default = [ ];
|
|
|
|
description = "keys to root login";
|
|
|
|
};
|
2024-04-12 22:23:06 +02:00
|
|
|
sshguard.enable = mkOption {
|
|
|
|
type = bool;
|
|
|
|
default = config.components.network.sshd.enable;
|
|
|
|
};
|
2022-10-13 10:19:23 +02:00
|
|
|
onlyTincAccess = mkOption {
|
|
|
|
type = bool;
|
|
|
|
default = false;
|
|
|
|
description = ''
|
|
|
|
make sure ssh is only available trough the tinc
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
config = mkMerge [
|
|
|
|
|
|
|
|
(mkIf cfg.enable {
|
|
|
|
|
2024-04-12 22:23:06 +02:00
|
|
|
environment.systemPackages = [
|
|
|
|
pkgs.sshfs
|
|
|
|
pkgs.mosh
|
|
|
|
];
|
2023-05-28 21:24:20 +02:00
|
|
|
|
2022-10-13 10:19:23 +02:00
|
|
|
services.openssh = {
|
|
|
|
enable = true;
|
2023-06-29 10:08:09 +02:00
|
|
|
settings.X11Forwarding = false;
|
|
|
|
settings.PasswordAuthentication = false;
|
2022-10-13 10:19:23 +02:00
|
|
|
};
|
|
|
|
|
2023-06-01 11:44:02 +02:00
|
|
|
users.users.root.openssh.authorizedKeys.keyFiles = cfg.rootKeyFiles ++ defaultRootKeyFiles;
|
2022-10-13 10:19:23 +02:00
|
|
|
|
2024-05-29 20:16:04 +02:00
|
|
|
# todo enable again when I can it's possible to set the `-q` ssh option in clan
|
|
|
|
#services.openssh.banner = builtins.readFile sshBanner;
|
2022-10-13 10:19:23 +02:00
|
|
|
|
|
|
|
})
|
|
|
|
|
2024-04-12 22:23:06 +02:00
|
|
|
(mkIf cfg.sshguard.enable {
|
|
|
|
environment.systemPackages = [ pkgs.ipset ];
|
|
|
|
services.sshguard.enable = lib.mkDefault true;
|
2024-04-16 17:19:20 +02:00
|
|
|
})
|
2024-04-12 22:23:06 +02:00
|
|
|
|
2022-10-13 10:19:23 +02:00
|
|
|
(mkIf (cfg.onlyTincAccess && cfg.enable) {
|
|
|
|
networking.firewall.extraCommands = ''
|
|
|
|
iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0
|
|
|
|
'';
|
|
|
|
})
|
|
|
|
];
|
|
|
|
|
|
|
|
}
|