migrate sshd to component.sshd

2022-10-13 10:19:23 +02:00 · 2022-10-13 10:19:23 +02:00 · 7177106c20
commit 7177106c20
parent 798dd566a3
12 changed files with 96 additions and 109 deletions
--- a/nixos/components/network/default.nix
+++ b/nixos/components/network/default.nix
@ -0,0 +1,6 @@
+{ ... }:
+{
+  imports = [
+    ./sshd
+  ];
+}
--- a/nixos/components/network/sshd/default.nix
+++ b/nixos/components/network/sshd/default.nix
@ -0,0 +1,84 @@
+{ pkgs, config, lib, ... }:
+
+with lib;
+with types;
+
+let
+  cfg = config.component.network.sshd;
+  defaultRootKeyFiles = [ (toString ../../../assets/ssh/palo_rsa.pub) ];
+in
+{
+
+  imports = [
+    ./known-hosts-bootup.nix
+    ./known-hosts-private.nix
+    ./known-hosts-public.nix
+  ];
+
+  options.component.network.sshd = {
+    enable = mkOption {
+      type = bool;
+      default = true;
+      description = "add ssh tools";
+    };
+    rootKeyFiles = mkOption {
+      type = with types; listOf path;
+      default = [ ];
+      description = "keys to root login";
+    };
+    tools.enable = mkOption {
+      type = bool;
+      default = true;
+      description = "add ssh tools";
+    };
+    onlyTincAccess = mkOption {
+      type = bool;
+      default = false;
+      description = ''
+        make sure ssh is only available trough the tinc
+      '';
+    };
+  };
+
+  config = mkMerge [
+
+    (mkIf cfg.tools.enable {
+      environment.systemPackages = [ pkgs.sshfs ];
+    })
+
+    (mkIf cfg.enable {
+
+      services.openssh = {
+        enable = true;
+        forwardX11 = false;
+        passwordAuthentication = false;
+      };
+
+      users.users.root.openssh.authorizedKeys.keyFiles =
+        cfg.rootKeyFiles ++ defaultRootKeyFiles;
+
+      services.openssh.extraConfig = ''
+        Banner /etc/ssh/banner-line
+      '';
+
+      environment.etc."ssh/banner-line".text =
+        let
+          text = config.networking.hostName;
+          size = 80 - (lib.stringLength text);
+          space = lib.fixedWidthString size " " "";
+        in
+        ''
+          ────────────────────────────────────────────────────────────────────────────────
+          ${space}${text}
+        '';
+
+    })
+
+    (mkIf (cfg.onlyTincAccess && cfg.enable) {
+      networking.firewall.extraCommands = ''
+        iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0
+      '';
+    })
+  ];
+
+}
--- a/nixos/components/network/sshd/known-hosts-bootup.nix
+++ b/nixos/components/network/sshd/known-hosts-bootup.nix
@ -0,0 +1,63 @@
+{ config, lib, pkgs, private_assets, ... }:
+with lib;
+let
+
+  computers = {
+    pepe = {
+      onionId = fileContents "${private_assets}/onion_id_pepe";
+      # SHA256:aOZbqpgc5CcTNtRAzjuG/0BQZ9MF5c9u/N+UC88y8kI
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5K4UHD8cIcXB33UiOj5vyXJj+4CyyiLFDMwcyad92a";
+    };
+
+  };
+
+in
+{
+
+  services.openssh.knownHosts = {
+    "robi-init-ssh" = {
+      hostNames = [
+        "[robi]:2222"
+        "[144.76.13.147]:2222"
+      ];
+      # SHA256:rhvbJ84cPXXezaoJiY7tFsG8CJxI2F/lLKz8q+xUW+g
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKQ7XB6Cs9FJmHkuZ9ihbj76WsK0uJBh882ceyKaaKJ";
+    };
+  } // (mapAttrs'
+    (name:
+      { onionId, publicKey, ... }: {
+        name = "${name}-init-ssh";
+        value = {
+          hostNames = [ "[${onionId}]:2222" ];
+          inherit publicKey;
+        };
+      })
+    computers);
+
+  environment.systemPackages =
+    let
+
+      ssh = mapAttrsToList
+        (name:
+          { onionId, ... }:
+          pkgs.writers.writeDashBin "ssh-boot-to-${name}" ''
+            ${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 2222
+          '')
+        computers;
+
+      password = mapAttrsToList
+        (name:
+          { onionId, ... }:
+          pkgs.writers.writeDashBin "unlock-boot-${name}" ''
+            ${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 2222 '
+            echo -n "enter password : "
+            read password
+            echo "$password" > /crypt-ramfs/passphrase
+            '
+          '')
+        computers;
+
+    in
+    ssh ++ password;
+
+}
--- a/nixos/components/network/sshd/known-hosts-private.nix
+++ b/nixos/components/network/sshd/known-hosts-private.nix
@ -0,0 +1,57 @@
+# generated by updateSshKeys.sh
+{ config, lib, ... }: {
+
+  services.openssh.knownHosts = {
+    #"robi_init" = {
+    #  hostNames = [
+    #    "robi:2222"
+    #    "144.76.13.147:2222"
+    #  ];
+    #  fingerprints
+    #  256 SHA256:rhvbJ84cPXXezaoJiY7tFsG8CJxI2F/lLKz8q+xUW+g root@rescue (ED25519)
+    # 3072 SHA256:KBVMQLNWaDpzlCZERN9OeEDFAhUoADOZRfenXWHxswU root@rescue (RSA)
+    #  publicKey = "";
+    #};
+    "robi" = {
+      hostNames = [
+        "robi.private"
+        "robi"
+        "144.76.13.147"
+        "git.ingolf-wagner.de"
+        "taskd.ingolf-wagner.de"
+      ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2PGX6cZuBUGX4VweMzi0aRh4uQ61yngCzZGcK3w5XV";
+    };
+    "sternchen.secret" = {
+      hostNames = [
+        "sternchen.secret"
+        config.module.cluster.services.tinc.secret.hosts.sternchen.tincIp
+      ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILriD/0+65L1mkbjKENwpvB3wUMXz/rEf9J8wuJjJa0q";
+    };
+    "sterni.private" = {
+      hostNames = [
+        "sterni.private"
+        "sterni.secret"
+        config.module.cluster.services.tinc.private.hosts.sterni.tincIp
+        config.module.cluster.services.tinc.secret.hosts.sterni.tincIp
+      ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQRH4gzT4vWSx3KN80ePPYhSPZRUae/qSyEym6pJTht";
+    };
+    "pepe.private" = {
+      hostNames = [
+        "pepe.private"
+        "pepe.lan"
+        config.module.cluster.services.tinc.private.hosts.pepe.tincIp
+      ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPlva+Vdj8WmQPlbQLN3qicMz5AAsyTzK53BincxtAz";
+    };
+    "mobi.private" = {
+      hostNames = [
+        "mobi.private"
+        config.module.cluster.services.tinc.private.hosts.mobi.tincIp
+      ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE3G7TwCoxcVfwhGL0913RtacEeokqKtufhzzkCxpPxk";
+    };
+  };
+}
--- a/nixos/components/network/sshd/known-hosts-public.nix
+++ b/nixos/components/network/sshd/known-hosts-public.nix
@ -0,0 +1,95 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+{
+
+  services.openssh.knownHosts = {
+    github = {
+      hostNames = [
+        "*.github.com"
+        # List generated with
+        # curl -sS https://api.github.com/meta | jq -r .git[] | cidr2glob
+        "192.30.252.*"
+        "192.30.253.*"
+        "192.30.254.*"
+        "192.30.255.*"
+        "185.199.108.*"
+        "185.199.109.*"
+        "185.199.110.*"
+        "185.199.111.*"
+        "13.229.188.59"
+        "13.250.177.223"
+        "18.194.104.89"
+        "18.195.85.27"
+        "35.159.8.160"
+        "52.74.223.119"
+      ];
+      publicKey =
+        "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==";
+    };
+    gitlab = {
+      hostNames = [ "gitlab.com" ];
+      publicKey =
+        "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=";
+    };
+    gitlab-bk = {
+      hostNames = [ "gitlab.bk-bund-berlin.de" "116.203.133.59" ];
+      publicKey =
+        "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCG/sjnOlbrmpUliFtM5fmZTcm2wpUoP5OQEzFrrkkwhstCO9fMty9mp5qnKlezYA9+l78RTd218qFjSKYxTQNw=";
+    };
+    # space-left
+    gitlabSpaceLeft = {
+      hostNames = [ "git.space-left.org" ];
+      publicKey =
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAapztj8I3xy6Ea8A1q7Mo5C6zdgsK1bguAXcKUDCRBO";
+    };
+    # c-base
+    "bnd-cbase" = {
+      hostNames = [ "bnd.cbrp3.c-base.org" ];
+      publicKey =
+        "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKDknNl4M2WZChp1N/eRIpem2AEOceGIqvjo0ptBuwxUn0w0B8MGTVqoI+pnUVypORJRoNrLPOAkmEVr32BDN3E=";
+    };
+    "shell.cbase" = {
+      hostNames = [ "shell.c-base.org" ];
+      publicKey =
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOBKBn0mZtG3KWxpFqqcog8zvdIVrZmwj+ARujuNIAfo";
+    };
+    "kgb.cbase" = {
+      hostNames = [ "kgb.cbrp3.c-base.org" ];
+      publicKey =
+        "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAdyl7fnnCqomghJ1TDbh5FWFQWFwoO1Y1U/FpmWd8a9RcQvN0Izhg/7A+7ptDxbmpVii8hqfghlqUwtvVy7jo8=";
+    };
+    "cns.cbase" = {
+      hostNames = [ "cns.c-base.org" ];
+      publicKey =
+        "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOtlyLA2nMK9Uqpv4EbWS+rZ9Mx4bAjURmH+zrXkuRGBcU1cKm+TZfWe9/rPX57KaMPBDyIygOJIsM2T5SqX90A=";
+    };
+    "lassulus" = {
+      hostNames = [ "[lassul.us]:45621" ];
+      publicKey =
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD";
+    };
+    renoise = {
+      hostNames = [ "*.renoise.com" "renoise.com" "94.130.128.97" ];
+      publicKey =
+        "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLXxhBlYQJxgcLqKywpl1tI1N/+B5bkptAnR2a3tsRybq0IHZnIkSRGUYcu5zPwJT+bitVw8BvIaGzxI+Zm2ivE=";
+    };
+    git-renoise = {
+      hostNames = [ "[git.renoise.com]:2229" "[94.130.128.97]:2229" ];
+      publicKey =
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmIOTjQsD1TaD9MiECcRqwfAXfRdbI+2pkuF+zhBUkrX41NA4LzifPY4Iw3PlklE0YGIOzYyNitzkdgxIWkeqa0Y9iL3gGZBuLFORj5YXWlDKB2RrPAsZRL8y69y4H6RWPpL6DHHsf9eT+HgRzWzzn5nUFLfkCsuM96BqjIKN1pinIBcE6gst1UUSwSTjK8XZA5d4BiSrLF4HiNXnDm+qniYGbGkzZcjn1ua+l0GdGbfg9TotFnSK/QXgN3MeHHDZKnIjOIkOXCY+L5URe0RHo6pBFdj+BLr211AJhB52MrDNudQcY6eSQiJ08LeE6SkcrsQO/VZ/JnOkHxHd2mOyH";
+    };
+    "siteground" = {
+      hostNames = [ "[es5.siteground.eu]:18765" "[37.60.224.6]:18765" ];
+      publicKey =
+        "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHZuvHooyHa69rU+SfOghM6yfc7bce5cMi9sh5JkoLPi+m8QEkX3oiG9rRpAhp0GYnB74M4l1+0XlxmG7/HVmq0=";
+    };
+    "cracksucht.de" = {
+      hostNames = [ "cracksucht.de" ];
+      publicKey =
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVqpWzX+C7veO/1MDSdh5ukFhpI4cfXevbl6DVb9gVt1wdYB0JsiMiWfl13MZJy9iEP/KfwRLYmu8i36tDR9uJfHQyLK8G7q2DhrleIPgM3dFCdDU1QtulE8hEq/ZsqzMn/QIHYIipIqzNfmC/xnpX2gIo09T7EY+n863ALlj+GqxMb4nr2XDLY+Lllo2yMzylJIz9q8U5hOmzrlCnBpf2MPMwanHXnZXj2CmO80VyBHnAMJ/h72AN1qzDaHFlhxh0Li/POc1bpDjiVjiUPgimHZWpi3VObxWLLn2zf+RH2lx0yXMccSEnkWvHp+Ll5apIUUS+vTlDo3niWpEfGZLl root@debian";
+    };
+  };
+
+}