refactor ssh daemon
This commit is contained in:
parent
6645f02a72
commit
2f5d2faaad
4 changed files with 72 additions and 21 deletions
|
@ -4,6 +4,36 @@ with types;
|
||||||
let
|
let
|
||||||
defaultRootKeyFiles = [ (toString ../../../assets/ssh/palo_rsa.pub) ];
|
defaultRootKeyFiles = [ (toString ../../../assets/ssh/palo_rsa.pub) ];
|
||||||
cfg = config.components.network.sshd;
|
cfg = config.components.network.sshd;
|
||||||
|
|
||||||
|
# maybe ascii-image-converter is also nice here
|
||||||
|
sshBanner = pkgs.runCommand "ssh-banner"
|
||||||
|
{
|
||||||
|
nativeBuildInputs = [
|
||||||
|
(pkgs.boxes.overrideAttrs (old: rec {
|
||||||
|
version = "2.3.0";
|
||||||
|
src = pkgs.fetchFromGitHub {
|
||||||
|
owner = "ascii-boxes";
|
||||||
|
repo = "boxes";
|
||||||
|
rev = "v${version}";
|
||||||
|
sha256 = "sha256-/gc/5vDflmEwOtQbtLwRcchyr22rLQcWqs5GrwRxY70=";
|
||||||
|
};
|
||||||
|
nativeBuildInputs = old.nativeBuildInputs ++ [
|
||||||
|
pkgs.libunistring
|
||||||
|
pkgs.pcre2
|
||||||
|
pkgs.ncurses
|
||||||
|
];
|
||||||
|
installPhase = ''
|
||||||
|
install -Dm755 -t $out/bin out/boxes
|
||||||
|
install -Dm644 -t $out/share/boxes boxes-config
|
||||||
|
install -Dm644 -t $out/share/man/man1 doc/boxes.1
|
||||||
|
'';
|
||||||
|
}))
|
||||||
|
];
|
||||||
|
} ''
|
||||||
|
echo "${config.networking.hostName}" | boxes -d ansi -s 80x1 -a r > $out
|
||||||
|
'';
|
||||||
|
|
||||||
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
|
||||||
|
@ -22,6 +52,10 @@ in
|
||||||
default = [ ];
|
default = [ ];
|
||||||
description = "keys to root login";
|
description = "keys to root login";
|
||||||
};
|
};
|
||||||
|
sshguard.enable = mkOption {
|
||||||
|
type = bool;
|
||||||
|
default = config.components.network.sshd.enable;
|
||||||
|
};
|
||||||
onlyTincAccess = mkOption {
|
onlyTincAccess = mkOption {
|
||||||
type = bool;
|
type = bool;
|
||||||
default = false;
|
default = false;
|
||||||
|
@ -35,7 +69,10 @@ in
|
||||||
|
|
||||||
(mkIf cfg.enable {
|
(mkIf cfg.enable {
|
||||||
|
|
||||||
environment.systemPackages = [ pkgs.sshfs pkgs.mosh ];
|
environment.systemPackages = [
|
||||||
|
pkgs.sshfs
|
||||||
|
pkgs.mosh
|
||||||
|
];
|
||||||
|
|
||||||
services.openssh = {
|
services.openssh = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -45,21 +82,13 @@ in
|
||||||
|
|
||||||
users.users.root.openssh.authorizedKeys.keyFiles = cfg.rootKeyFiles ++ defaultRootKeyFiles;
|
users.users.root.openssh.authorizedKeys.keyFiles = cfg.rootKeyFiles ++ defaultRootKeyFiles;
|
||||||
|
|
||||||
services.openssh.extraConfig = ''
|
services.openssh.banner = builtins.readFile sshBanner;
|
||||||
Banner /etc/ssh/banner-line
|
|
||||||
'';
|
|
||||||
|
|
||||||
environment.etc."ssh/banner-line".text =
|
})
|
||||||
let
|
|
||||||
text = config.networking.hostName;
|
|
||||||
size = 80 - (lib.stringLength text);
|
|
||||||
space = lib.fixedWidthString size " " "";
|
|
||||||
in
|
|
||||||
''
|
|
||||||
────────────────────────────────────────────────────────────────────────────────
|
|
||||||
${space}${text}
|
|
||||||
'';
|
|
||||||
|
|
||||||
|
(mkIf cfg.sshguard.enable {
|
||||||
|
environment.systemPackages = [ pkgs.ipset ];
|
||||||
|
services.sshguard.enable = lib.mkDefault true;
|
||||||
} )
|
} )
|
||||||
|
|
||||||
(mkIf (cfg.onlyTincAccess && cfg.enable) {
|
(mkIf (cfg.onlyTincAccess && cfg.enable) {
|
||||||
|
|
|
@ -27,6 +27,7 @@
|
||||||
components.media.enable = true;
|
components.media.enable = true;
|
||||||
components.media.tts-client.enable = false;
|
components.media.tts-client.enable = false;
|
||||||
components.network.enable = true;
|
components.network.enable = true;
|
||||||
|
components.network.sshd.sshguard.enable = false;
|
||||||
components.network.wifi.enable = true;
|
components.network.wifi.enable = true;
|
||||||
components.terminal.enable = true;
|
components.terminal.enable = true;
|
||||||
|
|
||||||
|
|
|
@ -53,12 +53,6 @@ in
|
||||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw=="
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw=="
|
||||||
];
|
];
|
||||||
|
|
||||||
services.openssh.enable = true;
|
|
||||||
services.sshguard.enable = true;
|
|
||||||
environment.systemPackages = [
|
|
||||||
pkgs.ipset # for sshguard
|
|
||||||
];
|
|
||||||
|
|
||||||
boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!)
|
boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!)
|
||||||
|
|
||||||
boot.supportedFilesystems = [ "zfs" ];
|
boot.supportedFilesystems = [ "zfs" ];
|
||||||
|
|
27
scripts/shell.nix
Normal file
27
scripts/shell.nix
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
{ pkgs ? import <nixpkgs> { } }:
|
||||||
|
|
||||||
|
pkgs.mkShell {
|
||||||
|
buildInputs = [
|
||||||
|
(pkgs.boxes.overrideAttrs (old: rec {
|
||||||
|
version = "2.3.0";
|
||||||
|
src = pkgs.fetchFromGitHub {
|
||||||
|
owner = "ascii-boxes";
|
||||||
|
repo = "boxes";
|
||||||
|
rev = "v${version}";
|
||||||
|
sha256 = "sha256-/gc/5vDflmEwOtQbtLwRcchyr22rLQcWqs5GrwRxY70=";
|
||||||
|
};
|
||||||
|
#nativeBuildInputs = old.nativeBuildInputs ++ [
|
||||||
|
nativeBuildInputs = [
|
||||||
|
pkgs.libunistring
|
||||||
|
pkgs.pcre2
|
||||||
|
pkgs.ncurses
|
||||||
|
];
|
||||||
|
installPhase = ''
|
||||||
|
find . -type f
|
||||||
|
install -Dm755 -t $out/bin out/boxes
|
||||||
|
install -Dm644 -t $out/share/boxes boxes-config
|
||||||
|
install -Dm644 -t $out/share/man/man1 doc/boxes.1
|
||||||
|
'';
|
||||||
|
}))
|
||||||
|
];
|
||||||
|
}
|
Loading…
Reference in a new issue