From 2f5d2faaadb1402c23a7cafd39ae5aaaba988760 Mon Sep 17 00:00:00 2001 From: Ingolf Wagner Date: Fri, 12 Apr 2024 22:23:06 +0200 Subject: [PATCH] refactor ssh daemon --- nixos/components/network/sshd/default.nix | 59 ++++++++++++++----- nixos/machines/cherry/configuration.nix | 1 + .../orbi/hardware-configuration/default.nix | 6 -- scripts/shell.nix | 27 +++++++++ 4 files changed, 72 insertions(+), 21 deletions(-) create mode 100644 scripts/shell.nix diff --git a/nixos/components/network/sshd/default.nix b/nixos/components/network/sshd/default.nix index aaec2ba..a7d75b4 100644 --- a/nixos/components/network/sshd/default.nix +++ b/nixos/components/network/sshd/default.nix @@ -4,6 +4,36 @@ with types; let defaultRootKeyFiles = [ (toString ../../../assets/ssh/palo_rsa.pub) ]; cfg = config.components.network.sshd; + +# maybe ascii-image-converter is also nice here + sshBanner = pkgs.runCommand "ssh-banner" + { + nativeBuildInputs = [ + (pkgs.boxes.overrideAttrs (old: rec { + version = "2.3.0"; + src = pkgs.fetchFromGitHub { + owner = "ascii-boxes"; + repo = "boxes"; + rev = "v${version}"; + sha256 = "sha256-/gc/5vDflmEwOtQbtLwRcchyr22rLQcWqs5GrwRxY70="; + }; + nativeBuildInputs = old.nativeBuildInputs ++ [ + pkgs.libunistring + pkgs.pcre2 + pkgs.ncurses + ]; + installPhase = '' + install -Dm755 -t $out/bin out/boxes + install -Dm644 -t $out/share/boxes boxes-config + install -Dm644 -t $out/share/man/man1 doc/boxes.1 + ''; + })) + ]; + } '' + echo "${config.networking.hostName}" | boxes -d ansi -s 80x1 -a r > $out + ''; + + in { @@ -22,6 +52,10 @@ in default = [ ]; description = "keys to root login"; }; + sshguard.enable = mkOption { + type = bool; + default = config.components.network.sshd.enable; + }; onlyTincAccess = mkOption { type = bool; default = false; @@ -35,7 +69,10 @@ in (mkIf cfg.enable { - environment.systemPackages = [ pkgs.sshfs pkgs.mosh ]; + environment.systemPackages = [ + pkgs.sshfs + pkgs.mosh + ]; services.openssh = { enable = true; @@ -45,23 +82,15 @@ in users.users.root.openssh.authorizedKeys.keyFiles = cfg.rootKeyFiles ++ defaultRootKeyFiles; - services.openssh.extraConfig = '' - Banner /etc/ssh/banner-line - ''; - - environment.etc."ssh/banner-line".text = - let - text = config.networking.hostName; - size = 80 - (lib.stringLength text); - space = lib.fixedWidthString size " " ""; - in - '' - ──────────────────────────────────────────────────────────────────────────────── - ${space}${text} - ''; + services.openssh.banner = builtins.readFile sshBanner; }) + (mkIf cfg.sshguard.enable { + environment.systemPackages = [ pkgs.ipset ]; + services.sshguard.enable = lib.mkDefault true; + } ) + (mkIf (cfg.onlyTincAccess && cfg.enable) { networking.firewall.extraCommands = '' iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0 diff --git a/nixos/machines/cherry/configuration.nix b/nixos/machines/cherry/configuration.nix index a55d66f..8c4f22a 100644 --- a/nixos/machines/cherry/configuration.nix +++ b/nixos/machines/cherry/configuration.nix @@ -27,6 +27,7 @@ components.media.enable = true; components.media.tts-client.enable = false; components.network.enable = true; + components.network.sshd.sshguard.enable = false; components.network.wifi.enable = true; components.terminal.enable = true; diff --git a/nixos/machines/orbi/hardware-configuration/default.nix b/nixos/machines/orbi/hardware-configuration/default.nix index bbbc6e3..17c46b8 100644 --- a/nixos/machines/orbi/hardware-configuration/default.nix +++ b/nixos/machines/orbi/hardware-configuration/default.nix @@ -53,12 +53,6 @@ in "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw==" ]; - services.openssh.enable = true; - services.sshguard.enable = true; - environment.systemPackages = [ - pkgs.ipset # for sshguard - ]; - boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!) boot.supportedFilesystems = [ "zfs" ]; diff --git a/scripts/shell.nix b/scripts/shell.nix new file mode 100644 index 0000000..4c36589 --- /dev/null +++ b/scripts/shell.nix @@ -0,0 +1,27 @@ +{ pkgs ? import { } }: + +pkgs.mkShell { + buildInputs = [ + (pkgs.boxes.overrideAttrs (old: rec { + version = "2.3.0"; + src = pkgs.fetchFromGitHub { + owner = "ascii-boxes"; + repo = "boxes"; + rev = "v${version}"; + sha256 = "sha256-/gc/5vDflmEwOtQbtLwRcchyr22rLQcWqs5GrwRxY70="; + }; + #nativeBuildInputs = old.nativeBuildInputs ++ [ + nativeBuildInputs = [ + pkgs.libunistring + pkgs.pcre2 + pkgs.ncurses + ]; + installPhase = '' + find . -type f + install -Dm755 -t $out/bin out/boxes + install -Dm644 -t $out/share/boxes boxes-config + install -Dm644 -t $out/share/man/man1 doc/boxes.1 + ''; + })) + ]; +}