migrate sshd to component.sshd

This commit is contained in:
Ingolf Wagner 2022-10-13 10:19:23 +02:00
parent 798dd566a3
commit 7177106c20
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
12 changed files with 96 additions and 109 deletions

View file

@ -0,0 +1,6 @@
{ ... }:
{
imports = [
./sshd
];
}

View file

@ -0,0 +1,84 @@
{ pkgs, config, lib, ... }:
with lib;
with types;
let
cfg = config.component.network.sshd;
defaultRootKeyFiles = [ (toString ../../../assets/ssh/palo_rsa.pub) ];
in
{
imports = [
./known-hosts-bootup.nix
./known-hosts-private.nix
./known-hosts-public.nix
];
options.component.network.sshd = {
enable = mkOption {
type = bool;
default = true;
description = "add ssh tools";
};
rootKeyFiles = mkOption {
type = with types; listOf path;
default = [ ];
description = "keys to root login";
};
tools.enable = mkOption {
type = bool;
default = true;
description = "add ssh tools";
};
onlyTincAccess = mkOption {
type = bool;
default = false;
description = ''
make sure ssh is only available trough the tinc
'';
};
};
config = mkMerge [
(mkIf cfg.tools.enable {
environment.systemPackages = [ pkgs.sshfs ];
})
(mkIf cfg.enable {
services.openssh = {
enable = true;
forwardX11 = false;
passwordAuthentication = false;
};
users.users.root.openssh.authorizedKeys.keyFiles =
cfg.rootKeyFiles ++ defaultRootKeyFiles;
services.openssh.extraConfig = ''
Banner /etc/ssh/banner-line
'';
environment.etc."ssh/banner-line".text =
let
text = config.networking.hostName;
size = 80 - (lib.stringLength text);
space = lib.fixedWidthString size " " "";
in
''
${space}${text}
'';
})
(mkIf (cfg.onlyTincAccess && cfg.enable) {
networking.firewall.extraCommands = ''
iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0
'';
})
];
}

View file

@ -3,14 +3,13 @@
../../system/all/borg-jobs.nix ../../system/all/borg-jobs.nix
../../system/all/defaults.nix ../../system/all/defaults.nix
../../system/all/sshd-known-hosts-bootup.nix
../../system/all/sshd-known-hosts-private.nix
../../system/all/sshd-known-hosts-public.nix
../../system/all/syncthing.nix ../../system/all/syncthing.nix
../../system/all/tinc.nix
../../system/server/netdata.nix ../../system/server/netdata.nix
../../system/server/packages.nix ../../system/server/packages.nix
../../components/network/sshd
../../system/all/tinc.nix
./hetzner.nix ./hetzner.nix
./borg.nix ./borg.nix

View file

@ -8,7 +8,6 @@
./services/home-assistant.nix ./services/home-assistant.nix
./services/lektor.nix ./services/lektor.nix
./services/samba-share.nix ./services/samba-share.nix
./services/sshd.nix
./services/videoencoder.nix ./services/videoencoder.nix
./services/taskwarrior-pushover.nix ./services/taskwarrior-pushover.nix
./services/taskwarrior-autotag.nix ./services/taskwarrior-autotag.nix

View file

@ -1,63 +0,0 @@
{ pkgs, config, lib, ... }:
with lib;
let
cfg = config.services.custom.ssh;
in
{
options.services.custom.ssh = {
tools.enable = mkEnableOption "Add ssh tools";
sshd = {
enable = mkEnableOption "Start sshd server";
rootKeyFiles = mkOption {
type = with types; listOf path;
description = "keys to root login";
default = [ ];
};
};
};
config = mkMerge [
(mkIf cfg.tools.enable {
environment.systemPackages = with pkgs;
[
# sshuttle
sshfs
];
})
(mkIf cfg.sshd.enable {
services.openssh = {
enable = true;
forwardX11 = true;
passwordAuthentication = false;
};
users.users.root.openssh.authorizedKeys.keyFiles = cfg.sshd.rootKeyFiles;
services.openssh.extraConfig = ''
Banner /etc/sshd/banner-line
'';
environment.etc."sshd/banner-line".text =
let
text = config.networking.hostName;
size = 80 - (lib.stringLength text);
space = lib.fixedWidthString size " " "";
in
''
${space}${text}
'';
})
];
}

View file

@ -3,6 +3,7 @@
imports = [ imports = [
../../modules ../../modules
../../components/network
./defaults.nix ./defaults.nix
@ -19,10 +20,6 @@
./packages.nix ./packages.nix
./borg-jobs.nix ./borg-jobs.nix
./borg-scripts.nix ./borg-scripts.nix
./sshd-known-hosts-bootup.nix
./sshd-known-hosts-private.nix
./sshd-known-hosts-public.nix
./sshd.nix
./syncthing.nix ./syncthing.nix
./tinc.nix ./tinc.nix
./on-failure.nix ./on-failure.nix

View file

@ -1,19 +0,0 @@
{ config, pkgs, lib, ... }:
with lib;
{
# not needed anymore
# programs.ssh.hostKeyAlgorithms = [ "ssh-rsa" "ssh-ed25519" "ecdsa-sha2-nistp256" ];
services.custom.ssh = {
tools.enable = true;
sshd = {
enable = true;
rootKeyFiles = [ (toString ../../assets/ssh/palo_rsa.pub) ];
};
};
}

View file

@ -19,7 +19,6 @@
./pass.nix ./pass.nix
./remote-install.nix ./remote-install.nix
./size.nix ./size.nix
./sshd.nix
./suspend.nix ./suspend.nix
./user.nix ./user.nix
./x11.nix ./x11.nix
@ -28,6 +27,8 @@
./wtf.nix ./wtf.nix
]; ];
component.network.sshd.onlyTincAccess = lib.mkDefault true;
system.custom.suspend.enable = lib.mkDefault true; system.custom.suspend.enable = lib.mkDefault true;
backup.dirs = [ backup.dirs = [

View file

@ -1,17 +0,0 @@
{ config, lib, ... }:
with lib;
let cfg = config.desktop.ssh.onlyTinc;
in {
options.desktop.ssh.onlyTinc = mkOption {
type = with types; bool;
default = true;
description = ''
make sure ssh is only available trough the tinc
'';
};
config = mkIf cfg {
networking.firewall.extraCommands = ''
iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0
'';
};
}