118 lines
2.9 KiB
Nix
118 lines
2.9 KiB
Nix
|
{ config, lib, pkgs, ... }:
|
||
|
|
||
|
with lib;
|
||
|
|
||
|
let
|
||
|
|
||
|
cfg = config.configuration.init-ssh;
|
||
|
|
||
|
in {
|
||
|
|
||
|
options.configuration.init-ssh = {
|
||
|
|
||
|
enable = mkOption {
|
||
|
default = "disable";
|
||
|
type = with types; enum [ "disable" "prepare" "enabled" ];
|
||
|
};
|
||
|
|
||
|
kernelModules = mkOption {
|
||
|
type = with types; listOf str;
|
||
|
};
|
||
|
|
||
|
port = mkOption {
|
||
|
default = 23;
|
||
|
type = with types; int;
|
||
|
};
|
||
|
|
||
|
authorizedKeys = mkOption {
|
||
|
type = with types; listOf str;
|
||
|
};
|
||
|
|
||
|
hostDSSKey = mkOption {
|
||
|
default = null;
|
||
|
type = with types; nullOr path;
|
||
|
description = ''
|
||
|
you only need one host key
|
||
|
nix-shell -p dropbear --run "dropbearkey -t dss -f ./host_dss_key"
|
||
|
'';
|
||
|
};
|
||
|
hostECDSAKey = mkOption {
|
||
|
default = null;
|
||
|
type = with types; nullOr path;
|
||
|
description = ''
|
||
|
you only need one host key
|
||
|
nix-shell -p dropbear --run "dropbearkey -t ecdsa -f ./host_ecdsa_key"
|
||
|
'';
|
||
|
};
|
||
|
hostRSAKey = mkOption {
|
||
|
default = null;
|
||
|
type = with types; nullOr path;
|
||
|
description = ''
|
||
|
you only need one host key
|
||
|
nix-shell -p dropbear --run "dropbearkey -t rsa -f ./host_rsa_key"
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
};
|
||
|
|
||
|
config = mkMerge [
|
||
|
|
||
|
(mkIf (cfg.enable != "disable") {
|
||
|
services.tor = {
|
||
|
enable = true;
|
||
|
client.enable = true;
|
||
|
hiddenServices.bootup.map = [
|
||
|
{ port = 23; }
|
||
|
];
|
||
|
};
|
||
|
})
|
||
|
|
||
|
(mkIf (cfg.enable == "enabled") {
|
||
|
|
||
|
# tor setup
|
||
|
boot.initrd.secrets = {
|
||
|
"/etc/tor/onion/bootup" = /var/lib/tor/onion/bootup;
|
||
|
"/etc/tor/tor.rc" = (pkgs.writeText "tor.rc" ''
|
||
|
DataDirectory /etc/tor
|
||
|
SOCKSPort 127.0.0.1:9050 IsolateDestAddr
|
||
|
SOCKSPort 127.0.0.1:9063
|
||
|
HiddenServiceDir /etc/tor/onion/bootup
|
||
|
HiddenServicePort ${toString cfg.port} 127.0.0.1:${toString cfg.port}
|
||
|
'');
|
||
|
};
|
||
|
|
||
|
boot.initrd.extraUtilsCommands = ''
|
||
|
copy_bin_and_libs ${pkgs.tor}/bin/tor
|
||
|
'';
|
||
|
|
||
|
boot.initrd.network.postCommands =
|
||
|
''
|
||
|
echo "tor: preparing onion folder"
|
||
|
# have to do this otherwise tor does not want to start
|
||
|
chmod -R 700 /etc/tor
|
||
|
|
||
|
echo "tor: starting tor"
|
||
|
tor -f /etc/tor/tor.rc --verify-config
|
||
|
tor -f /etc/tor/tor.rc &
|
||
|
'';
|
||
|
|
||
|
# ssh setup
|
||
|
# todo add the ssh host fingerprint to your trusted stuff
|
||
|
# todo set ssh host key here
|
||
|
boot.initrd.network.enable = true;
|
||
|
boot.initrd.network.ssh = {
|
||
|
enable = true;
|
||
|
authorizedKeys = cfg.authorizedKeys;
|
||
|
port = cfg.port;
|
||
|
};
|
||
|
boot.initrd.availableKernelModules = cfg.kernelModules;
|
||
|
boot.initrd.network.ssh.hostDSSKey = cfg.hostDSSKey;
|
||
|
boot.initrd.network.ssh.hostECDSAKey = cfg.hostECDSAKey;
|
||
|
boot.initrd.network.ssh.hostRSAKey = cfg.hostRSAKey;
|
||
|
})
|
||
|
];
|
||
|
}
|
||
|
|
||
|
|
||
|
|