From 4e271cba8a2b3b8c9675fd0b0d98b2dcd1445ca6 Mon Sep 17 00:00:00 2001 From: Ingolf Wagner Date: Sat, 8 Jun 2024 22:22:04 +0200 Subject: [PATCH] open ssh on chungus for password unlocking --- components/nixos/default.nix | 5 ++- components/nixos/tor-ssh.nix | 60 ++++++++++++++++++++++++++++++ machines/chungus/configuration.nix | 7 +++- 3 files changed, 69 insertions(+), 3 deletions(-) create mode 100644 components/nixos/tor-ssh.nix diff --git a/components/nixos/default.nix b/components/nixos/default.nix index 81341c6..7da3461 100644 --- a/components/nixos/default.nix +++ b/components/nixos/default.nix @@ -1,6 +1,9 @@ { config, lib, ... }: { - imports = [ ./upgrade-diff.nix ]; + imports = [ + ./upgrade-diff.nix + ./tor-ssh.nix + ]; options.components.nixos.enable = lib.mkOption { type = lib.types.bool; diff --git a/components/nixos/tor-ssh.nix b/components/nixos/tor-ssh.nix new file mode 100644 index 0000000..d311506 --- /dev/null +++ b/components/nixos/tor-ssh.nix @@ -0,0 +1,60 @@ +{ config, lib, pkgs, ... }: +with lib; +with types; + +{ + options.components.nixos.boot = { + + enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + kernelModules = mkOption { + type = listOf str; + default = [ ]; + description = + "lspci -v will tell you which kernel module is used for the ethernet interface"; + }; + + ssh = { + + enable = lib.mkOption { + type = lib.types.bool; + default = config.components.nixos.boot.enable; + }; + + + }; + }; + + config = mkMerge [ + + # ssh part + # -------- + (mkIf (config.components.nixos.boot.ssh.enable) { + + # boot + boot.initrd.systemd.enable = true; + boot.initrd.systemd.contents."/etc/hostname".text = "unlock.${config.networking.hostName}"; + + # network + boot.initrd.systemd.network.enable = true; + boot.initrd.availableKernelModules = config.components.nixos.boot.kernelModules; + + # ssh + boot.initrd.network.enable = true; + boot.initrd.network.ssh = { + enable = true; + #authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys ; + #authorizedKeyFiles = config.users.users.root.openssh.authorizedKeys.keyFiles; + port = 2222; + hostKeys = map ({ path, ... }: path) config.services.openssh.hostKeys; + }; + + + }) + + ]; +} + diff --git a/machines/chungus/configuration.nix b/machines/chungus/configuration.nix index 488a409..f82494b 100644 --- a/machines/chungus/configuration.nix +++ b/machines/chungus/configuration.nix @@ -55,10 +55,13 @@ components.network.wifi.enable = false; components.terminal.enable = true; + components.nixos.boot.enable = true; + components.nixos.boot.kernelModules = [ "e1000e" ]; + components.monitor.enable = true; + components.monitor.opentelemetry.receiver.endpoint = "0.0.0.0:4317"; networking.firewall.interfaces.wg0.allowedTCPPorts = [ 4317 ]; networking.firewall.interfaces.wg0.allowedUDPPorts = [ 4317 ]; - components.monitor.opentelemetry.receiver.endpoint = "0.0.0.0:4317"; services.printing.enable = false; @@ -68,7 +71,7 @@ #}; virtualisation.podman.extraPackages = [ pkgs.zfs ]; # make sure /var/lib/containers/storage is a zfs dataset - sops.defaultSopsFile = ../../secrets/chungus.yaml; + #sops.defaultSopsFile = ../../secrets/chungus.yaml; networking.hostName = "chungus";