nixos-config/system/server/initssh.nix

118 lines
2.9 KiB
Nix
Raw Normal View History

2019-10-24 02:20:38 +02:00
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.configuration.init-ssh;
in {
options.configuration.init-ssh = {
enable = mkOption {
default = "disable";
type = with types; enum [ "disable" "prepare" "enabled" ];
};
kernelModules = mkOption {
type = with types; listOf str;
};
port = mkOption {
default = 23;
type = with types; int;
};
authorizedKeys = mkOption {
type = with types; listOf str;
};
hostDSSKey = mkOption {
default = null;
type = with types; nullOr path;
description = ''
you only need one host key
nix-shell -p dropbear --run "dropbearkey -t dss -f ./host_dss_key"
'';
};
hostECDSAKey = mkOption {
default = null;
type = with types; nullOr path;
description = ''
you only need one host key
nix-shell -p dropbear --run "dropbearkey -t ecdsa -f ./host_ecdsa_key"
'';
};
hostRSAKey = mkOption {
default = null;
type = with types; nullOr path;
description = ''
you only need one host key
nix-shell -p dropbear --run "dropbearkey -t rsa -f ./host_rsa_key"
'';
};
};
config = mkMerge [
(mkIf (cfg.enable != "disable") {
services.tor = {
enable = true;
client.enable = true;
hiddenServices.bootup.map = [
{ port = 23; }
];
};
})
(mkIf (cfg.enable == "enabled") {
# tor setup
boot.initrd.secrets = {
"/etc/tor/onion/bootup" = /var/lib/tor/onion/bootup;
"/etc/tor/tor.rc" = (pkgs.writeText "tor.rc" ''
DataDirectory /etc/tor
SOCKSPort 127.0.0.1:9050 IsolateDestAddr
SOCKSPort 127.0.0.1:9063
HiddenServiceDir /etc/tor/onion/bootup
HiddenServicePort ${toString cfg.port} 127.0.0.1:${toString cfg.port}
'');
};
boot.initrd.extraUtilsCommands = ''
copy_bin_and_libs ${pkgs.tor}/bin/tor
'';
boot.initrd.network.postCommands =
''
echo "tor: preparing onion folder"
# have to do this otherwise tor does not want to start
chmod -R 700 /etc/tor
echo "tor: starting tor"
tor -f /etc/tor/tor.rc --verify-config
tor -f /etc/tor/tor.rc &
'';
# ssh setup
# todo add the ssh host fingerprint to your trusted stuff
# todo set ssh host key here
boot.initrd.network.enable = true;
boot.initrd.network.ssh = {
enable = true;
authorizedKeys = cfg.authorizedKeys;
port = cfg.port;
};
boot.initrd.availableKernelModules = cfg.kernelModules;
boot.initrd.network.ssh.hostDSSKey = cfg.hostDSSKey;
boot.initrd.network.ssh.hostECDSAKey = cfg.hostECDSAKey;
boot.initrd.network.ssh.hostRSAKey = cfg.hostRSAKey;
})
];
}