refactor ssh daemon

2024-04-12 22:23:06 +02:00 · 2024-04-12 22:23:06 +02:00 · 2f5d2faaad
commit 2f5d2faaad
parent 6645f02a72
4 changed files with 72 additions and 21 deletions
--- a/nixos/components/network/sshd/default.nix
+++ b/nixos/components/network/sshd/default.nix
@ -4,6 +4,36 @@ with types;
 let
  defaultRootKeyFiles = [ (toString ../../../assets/ssh/palo_rsa.pub) ];
  cfg = config.components.network.sshd;
+
+# maybe ascii-image-converter is also nice here
+  sshBanner = pkgs.runCommand "ssh-banner"
+    {
+      nativeBuildInputs = [
+        (pkgs.boxes.overrideAttrs (old: rec {
+          version = "2.3.0";
+          src = pkgs.fetchFromGitHub {
+            owner = "ascii-boxes";
+            repo = "boxes";
+            rev = "v${version}";
+            sha256 = "sha256-/gc/5vDflmEwOtQbtLwRcchyr22rLQcWqs5GrwRxY70=";
+          };
+          nativeBuildInputs = old.nativeBuildInputs ++ [
+            pkgs.libunistring
+            pkgs.pcre2
+            pkgs.ncurses
+          ];
+          installPhase = ''
+            install -Dm755 -t $out/bin out/boxes
+            install -Dm644 -t $out/share/boxes boxes-config
+            install -Dm644 -t $out/share/man/man1 doc/boxes.1
+          '';
+        }))
+      ];
+    } ''
+    echo "${config.networking.hostName}" | boxes -d ansi -s 80x1 -a r > $out
+  '';
+
+
 in
 {

@ -22,6 +52,10 @@ in
      default = [ ];
      description = "keys to root login";
    };
+    sshguard.enable = mkOption {
+      type = bool;
+      default = config.components.network.sshd.enable;
+    };
    onlyTincAccess = mkOption {
      type = bool;
      default = false;
@ -35,7 +69,10 @@ in

    (mkIf cfg.enable {

-      environment.systemPackages = [ pkgs.sshfs pkgs.mosh ];
+      environment.systemPackages = [
+        pkgs.sshfs
+        pkgs.mosh
+      ];

      services.openssh = {
        enable = true;
@ -45,23 +82,15 @@ in

      users.users.root.openssh.authorizedKeys.keyFiles = cfg.rootKeyFiles ++ defaultRootKeyFiles;

-      services.openssh.extraConfig = ''
-        Banner /etc/ssh/banner-line
-      '';
-
-      environment.etc."ssh/banner-line".text =
-        let
-          text = config.networking.hostName;
-          size = 80 - (lib.stringLength text);
-          space = lib.fixedWidthString size " " "";
-        in
-        ''
-          ────────────────────────────────────────────────────────────────────────────────
-          ${space}${text}
-        '';
+      services.openssh.banner = builtins.readFile sshBanner;

    })

+    (mkIf cfg.sshguard.enable {
+      environment.systemPackages = [ pkgs.ipset ];
+      services.sshguard.enable = lib.mkDefault true;
+    } )
+
    (mkIf (cfg.onlyTincAccess && cfg.enable) {
      networking.firewall.extraCommands = ''
        iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0
--- a/nixos/machines/cherry/configuration.nix
+++ b/nixos/machines/cherry/configuration.nix
@ -27,6 +27,7 @@
  components.media.enable = true;
  components.media.tts-client.enable = false;
  components.network.enable = true;
+  components.network.sshd.sshguard.enable = false;
  components.network.wifi.enable = true;
  components.terminal.enable = true;

--- a/nixos/machines/orbi/hardware-configuration/default.nix
+++ b/nixos/machines/orbi/hardware-configuration/default.nix
@ -53,12 +53,6 @@ in
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw=="
  ];

-  services.openssh.enable = true;
-  services.sshguard.enable = true;
-  environment.systemPackages = [
-    pkgs.ipset # for sshguard
-  ];
-
  boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!)

  boot.supportedFilesystems = [ "zfs" ];
--- a/scripts/shell.nix
+++ b/scripts/shell.nix
@ -0,0 +1,27 @@
+{ pkgs ? import <nixpkgs> { } }:
+
+pkgs.mkShell {
+  buildInputs = [
+    (pkgs.boxes.overrideAttrs (old: rec {
+      version = "2.3.0";
+      src = pkgs.fetchFromGitHub {
+        owner = "ascii-boxes";
+        repo = "boxes";
+        rev = "v${version}";
+        sha256 = "sha256-/gc/5vDflmEwOtQbtLwRcchyr22rLQcWqs5GrwRxY70=";
+      };
+      #nativeBuildInputs = old.nativeBuildInputs ++ [
+      nativeBuildInputs = [
+        pkgs.libunistring
+        pkgs.pcre2
+        pkgs.ncurses
+      ];
+      installPhase = ''
+        find . -type f
+        install -Dm755 -t $out/bin out/boxes
+        install -Dm644 -t $out/share/boxes boxes-config
+        install -Dm644 -t $out/share/man/man1 doc/boxes.1
+      '';
+    }))
+  ];
+}