diff --git a/nixos/components/network/hosts.nix b/nixos/components/network/hosts.nix index 20e0c02..6247065 100644 --- a/nixos/components/network/hosts.nix +++ b/nixos/components/network/hosts.nix @@ -1,6 +1,5 @@ { networking.extraHosts = '' - 192.168.0.24 scanner 144.76.13.147 robi ''; } diff --git a/nixos/components/network/sshd/default.nix b/nixos/components/network/sshd/default.nix index 22149f7..1d2b658 100644 --- a/nixos/components/network/sshd/default.nix +++ b/nixos/components/network/sshd/default.nix @@ -1,11 +1,9 @@ { pkgs, config, lib, ... }: - with lib; with types; - let - cfg = config.components.network.sshd; defaultRootKeyFiles = [ (toString ../../../assets/ssh/palo_rsa.pub) ]; + cfg = config.components.network.sshd; in { @@ -19,18 +17,12 @@ in enable = mkOption { type = bool; default = true; - description = "add ssh tools"; }; rootKeyFiles = mkOption { type = with types; listOf path; default = [ ]; description = "keys to root login"; }; - tools.enable = mkOption { - type = bool; - default = true; - description = "add ssh tools"; - }; onlyTincAccess = mkOption { type = bool; default = false; @@ -42,12 +34,10 @@ in config = mkMerge [ - (mkIf cfg.tools.enable { - environment.systemPackages = [ pkgs.sshfs ]; - }) - (mkIf cfg.enable { + environment.systemPackages = [ pkgs.sshfs ]; + services.openssh = { enable = true; forwardX11 = false; diff --git a/nixos/components/network/sshd/known-hosts-bootup.nix b/nixos/components/network/sshd/known-hosts-bootup.nix index 2c3b29c..198fb3b 100644 --- a/nixos/components/network/sshd/known-hosts-bootup.nix +++ b/nixos/components/network/sshd/known-hosts-bootup.nix @@ -18,50 +18,53 @@ let in { - services.openssh.knownHosts = { - "robi-init-ssh" = { - hostNames = [ - "[robi]:2222" - "[144.76.13.147]:2222" - ]; - # SHA256:rhvbJ84cPXXezaoJiY7tFsG8CJxI2F/lLKz8q+xUW+g - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKQ7XB6Cs9FJmHkuZ9ihbj76WsK0uJBh882ceyKaaKJ"; - }; - } // (mapAttrs' - (name: - { onionId, publicKey, ... }: { - name = "${name}-init-ssh"; - value = { - hostNames = [ "[${onionId}]:2222" ]; - inherit publicKey; - }; - }) - computers); + config = mkIf (config.components.network.sshd.enable) { - environment.systemPackages = - let + services.openssh.knownHosts = { + "robi-init-ssh" = { + hostNames = [ + "[robi]:2222" + "[144.76.13.147]:2222" + ]; + # SHA256:rhvbJ84cPXXezaoJiY7tFsG8CJxI2F/lLKz8q+xUW+g + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKQ7XB6Cs9FJmHkuZ9ihbj76WsK0uJBh882ceyKaaKJ"; + }; + } // (mapAttrs' + (name: + { onionId, publicKey, ... }: { + name = "${name}-init-ssh"; + value = { + hostNames = [ "[${onionId}]:2222" ]; + inherit publicKey; + }; + }) + computers); - sshTor = mapAttrsToList - (name: - { onionId, ... }: - pkgs.writers.writeDashBin "ssh-boot-to-${name}-via-tor" '' - ${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 2222 - '') - computers; + environment.systemPackages = + let - passwordTor = mapAttrsToList - (name: - { onionId, ... }: - pkgs.writers.writeDashBin "unlock-boot-${name}-via-tor" '' - ${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 2222 ' - echo -n "enter password : " - read password - echo "$password" > /crypt-ramfs/passphrase - ' - '') - computers; + sshTor = mapAttrsToList + (name: + { onionId, ... }: + pkgs.writers.writeDashBin "ssh-boot-to-${name}-via-tor" '' + ${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 2222 + '') + computers; - in - sshTor ++ passwordTor; + passwordTor = mapAttrsToList + (name: + { onionId, ... }: + pkgs.writers.writeDashBin "unlock-boot-${name}-via-tor" '' + ${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 2222 ' + echo -n "enter password : " + read password + echo "$password" > /crypt-ramfs/passphrase + ' + '') + computers; + in + sshTor ++ passwordTor; + + }; } diff --git a/nixos/components/network/sshd/known-hosts-private.nix b/nixos/components/network/sshd/known-hosts-private.nix index 1f23b61..988e2fe 100644 --- a/nixos/components/network/sshd/known-hosts-private.nix +++ b/nixos/components/network/sshd/known-hosts-private.nix @@ -1,25 +1,29 @@ -{ config, lib, ... }: { +{ config, lib, ... }: +with lib; +{ + config = mkIf (config.components.network.sshd.enable) { - services.openssh.knownHosts = { - #"robi_init" = { - # hostNames = [ - # "robi:2222" - # "144.76.13.147:2222" - # ]; - # fingerprints - # 256 SHA256:rhvbJ84cPXXezaoJiY7tFsG8CJxI2F/lLKz8q+xUW+g root@rescue (ED25519) - # 3072 SHA256:KBVMQLNWaDpzlCZERN9OeEDFAhUoADOZRfenXWHxswU root@rescue (RSA) - # publicKey = ""; - #}; - "robi" = { - hostNames = [ - "robi.private" - "robi" - "144.76.13.147" - "git.ingolf-wagner.de" - "taskd.ingolf-wagner.de" - ]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2PGX6cZuBUGX4VweMzi0aRh4uQ61yngCzZGcK3w5XV"; + services.openssh.knownHosts = { + #"robi_init" = { + # hostNames = [ + # "robi:2222" + # "144.76.13.147:2222" + # ]; + # fingerprints + # 256 SHA256:rhvbJ84cPXXezaoJiY7tFsG8CJxI2F/lLKz8q+xUW+g root@rescue (ED25519) + # 3072 SHA256:KBVMQLNWaDpzlCZERN9OeEDFAhUoADOZRfenXWHxswU root@rescue (RSA) + # publicKey = ""; + #}; + "robi" = { + hostNames = [ + "robi.private" + "robi" + "144.76.13.147" + "git.ingolf-wagner.de" + "taskd.ingolf-wagner.de" + ]; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2PGX6cZuBUGX4VweMzi0aRh4uQ61yngCzZGcK3w5XV"; + }; }; }; } diff --git a/nixos/components/network/sshd/known-hosts-public.nix b/nixos/components/network/sshd/known-hosts-public.nix index 61c048f..3bbdb22 100644 --- a/nixos/components/network/sshd/known-hosts-public.nix +++ b/nixos/components/network/sshd/known-hosts-public.nix @@ -1,94 +1,94 @@ -{ config, pkgs, lib, ... }: - +{ pkgs, config, lib, ... }: with lib; - { + config = mkIf (config.components.network.sshd.enable) { - services.openssh.knownHosts = { - github = { - hostNames = [ - "*.github.com" - # List generated with - # curl -sS https://api.github.com/meta | jq -r .git[] | cidr2glob - "192.30.252.*" - "192.30.253.*" - "192.30.254.*" - "192.30.255.*" - "185.199.108.*" - "185.199.109.*" - "185.199.110.*" - "185.199.111.*" - "13.229.188.59" - "13.250.177.223" - "18.194.104.89" - "18.195.85.27" - "35.159.8.160" - "52.74.223.119" - ]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"; - }; - gitlab = { - hostNames = [ "gitlab.com" ]; - publicKey = - "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY="; - }; - gitlab-bk = { - hostNames = [ "gitlab.bk-bund-berlin.de" "116.203.133.59" ]; - publicKey = - "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCG/sjnOlbrmpUliFtM5fmZTcm2wpUoP5OQEzFrrkkwhstCO9fMty9mp5qnKlezYA9+l78RTd218qFjSKYxTQNw="; - }; - # space-left - gitlabSpaceLeft = { - hostNames = [ "git.space-left.org" ]; - publicKey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAapztj8I3xy6Ea8A1q7Mo5C6zdgsK1bguAXcKUDCRBO"; - }; - # c-base - "bnd-cbase" = { - hostNames = [ "bnd.cbrp3.c-base.org" ]; - publicKey = - "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKDknNl4M2WZChp1N/eRIpem2AEOceGIqvjo0ptBuwxUn0w0B8MGTVqoI+pnUVypORJRoNrLPOAkmEVr32BDN3E="; - }; - "shell.cbase" = { - hostNames = [ "shell.c-base.org" ]; - publicKey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOBKBn0mZtG3KWxpFqqcog8zvdIVrZmwj+ARujuNIAfo"; - }; - "kgb.cbase" = { - hostNames = [ "kgb.cbrp3.c-base.org" ]; - publicKey = - "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAdyl7fnnCqomghJ1TDbh5FWFQWFwoO1Y1U/FpmWd8a9RcQvN0Izhg/7A+7ptDxbmpVii8hqfghlqUwtvVy7jo8="; - }; - "cns.cbase" = { - hostNames = [ "cns.c-base.org" ]; - publicKey = - "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOtlyLA2nMK9Uqpv4EbWS+rZ9Mx4bAjURmH+zrXkuRGBcU1cKm+TZfWe9/rPX57KaMPBDyIygOJIsM2T5SqX90A="; - }; - "lassulus" = { - hostNames = [ "[lassul.us]:45621" ]; - publicKey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD"; - }; - renoise = { - hostNames = [ "*.renoise.com" "renoise.com" "94.130.128.97" ]; - publicKey = - "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLXxhBlYQJxgcLqKywpl1tI1N/+B5bkptAnR2a3tsRybq0IHZnIkSRGUYcu5zPwJT+bitVw8BvIaGzxI+Zm2ivE="; - }; - git-renoise = { - hostNames = [ "[git.renoise.com]:2229" "[94.130.128.97]:2229" ]; - publicKey = - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmIOTjQsD1TaD9MiECcRqwfAXfRdbI+2pkuF+zhBUkrX41NA4LzifPY4Iw3PlklE0YGIOzYyNitzkdgxIWkeqa0Y9iL3gGZBuLFORj5YXWlDKB2RrPAsZRL8y69y4H6RWPpL6DHHsf9eT+HgRzWzzn5nUFLfkCsuM96BqjIKN1pinIBcE6gst1UUSwSTjK8XZA5d4BiSrLF4HiNXnDm+qniYGbGkzZcjn1ua+l0GdGbfg9TotFnSK/QXgN3MeHHDZKnIjOIkOXCY+L5URe0RHo6pBFdj+BLr211AJhB52MrDNudQcY6eSQiJ08LeE6SkcrsQO/VZ/JnOkHxHd2mOyH"; - }; - "siteground" = { - hostNames = [ "[es5.siteground.eu]:18765" "[37.60.224.6]:18765" ]; - publicKey = - "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHZuvHooyHa69rU+SfOghM6yfc7bce5cMi9sh5JkoLPi+m8QEkX3oiG9rRpAhp0GYnB74M4l1+0XlxmG7/HVmq0="; - }; - "cracksucht.de" = { - hostNames = [ "cracksucht.de" ]; - publicKey = - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVqpWzX+C7veO/1MDSdh5ukFhpI4cfXevbl6DVb9gVt1wdYB0JsiMiWfl13MZJy9iEP/KfwRLYmu8i36tDR9uJfHQyLK8G7q2DhrleIPgM3dFCdDU1QtulE8hEq/ZsqzMn/QIHYIipIqzNfmC/xnpX2gIo09T7EY+n863ALlj+GqxMb4nr2XDLY+Lllo2yMzylJIz9q8U5hOmzrlCnBpf2MPMwanHXnZXj2CmO80VyBHnAMJ/h72AN1qzDaHFlhxh0Li/POc1bpDjiVjiUPgimHZWpi3VObxWLLn2zf+RH2lx0yXMccSEnkWvHp+Ll5apIUUS+vTlDo3niWpEfGZLl root@debian"; + services.openssh.knownHosts = { + github = { + hostNames = [ + "*.github.com" + # List generated with + # curl -sS https://api.github.com/meta | jq -r .git[] | cidr2glob + "192.30.252.*" + "192.30.253.*" + "192.30.254.*" + "192.30.255.*" + "185.199.108.*" + "185.199.109.*" + "185.199.110.*" + "185.199.111.*" + "13.229.188.59" + "13.250.177.223" + "18.194.104.89" + "18.195.85.27" + "35.159.8.160" + "52.74.223.119" + ]; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"; + }; + gitlab = { + hostNames = [ "gitlab.com" ]; + publicKey = + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY="; + }; + gitlab-bk = { + hostNames = [ "gitlab.bk-bund-berlin.de" "116.203.133.59" ]; + publicKey = + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCG/sjnOlbrmpUliFtM5fmZTcm2wpUoP5OQEzFrrkkwhstCO9fMty9mp5qnKlezYA9+l78RTd218qFjSKYxTQNw="; + }; + # space-left + gitlabSpaceLeft = { + hostNames = [ "git.space-left.org" ]; + publicKey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAapztj8I3xy6Ea8A1q7Mo5C6zdgsK1bguAXcKUDCRBO"; + }; + # c-base + "bnd-cbase" = { + hostNames = [ "bnd.cbrp3.c-base.org" ]; + publicKey = + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKDknNl4M2WZChp1N/eRIpem2AEOceGIqvjo0ptBuwxUn0w0B8MGTVqoI+pnUVypORJRoNrLPOAkmEVr32BDN3E="; + }; + "shell.cbase" = { + hostNames = [ "shell.c-base.org" ]; + publicKey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOBKBn0mZtG3KWxpFqqcog8zvdIVrZmwj+ARujuNIAfo"; + }; + "kgb.cbase" = { + hostNames = [ "kgb.cbrp3.c-base.org" ]; + publicKey = + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAdyl7fnnCqomghJ1TDbh5FWFQWFwoO1Y1U/FpmWd8a9RcQvN0Izhg/7A+7ptDxbmpVii8hqfghlqUwtvVy7jo8="; + }; + "cns.cbase" = { + hostNames = [ "cns.c-base.org" ]; + publicKey = + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOtlyLA2nMK9Uqpv4EbWS+rZ9Mx4bAjURmH+zrXkuRGBcU1cKm+TZfWe9/rPX57KaMPBDyIygOJIsM2T5SqX90A="; + }; + "lassulus" = { + hostNames = [ "[lassul.us]:45621" ]; + publicKey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD"; + }; + renoise = { + hostNames = [ "*.renoise.com" "renoise.com" "94.130.128.97" ]; + publicKey = + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLXxhBlYQJxgcLqKywpl1tI1N/+B5bkptAnR2a3tsRybq0IHZnIkSRGUYcu5zPwJT+bitVw8BvIaGzxI+Zm2ivE="; + }; + git-renoise = { + hostNames = [ "[git.renoise.com]:2229" "[94.130.128.97]:2229" ]; + publicKey = + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmIOTjQsD1TaD9MiECcRqwfAXfRdbI+2pkuF+zhBUkrX41NA4LzifPY4Iw3PlklE0YGIOzYyNitzkdgxIWkeqa0Y9iL3gGZBuLFORj5YXWlDKB2RrPAsZRL8y69y4H6RWPpL6DHHsf9eT+HgRzWzzn5nUFLfkCsuM96BqjIKN1pinIBcE6gst1UUSwSTjK8XZA5d4BiSrLF4HiNXnDm+qniYGbGkzZcjn1ua+l0GdGbfg9TotFnSK/QXgN3MeHHDZKnIjOIkOXCY+L5URe0RHo6pBFdj+BLr211AJhB52MrDNudQcY6eSQiJ08LeE6SkcrsQO/VZ/JnOkHxHd2mOyH"; + }; + "siteground" = { + hostNames = [ "[es5.siteground.eu]:18765" "[37.60.224.6]:18765" ]; + publicKey = + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHZuvHooyHa69rU+SfOghM6yfc7bce5cMi9sh5JkoLPi+m8QEkX3oiG9rRpAhp0GYnB74M4l1+0XlxmG7/HVmq0="; + }; + "cracksucht.de" = { + hostNames = [ "cracksucht.de" ]; + publicKey = + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVqpWzX+C7veO/1MDSdh5ukFhpI4cfXevbl6DVb9gVt1wdYB0JsiMiWfl13MZJy9iEP/KfwRLYmu8i36tDR9uJfHQyLK8G7q2DhrleIPgM3dFCdDU1QtulE8hEq/ZsqzMn/QIHYIipIqzNfmC/xnpX2gIo09T7EY+n863ALlj+GqxMb4nr2XDLY+Lllo2yMzylJIz9q8U5hOmzrlCnBpf2MPMwanHXnZXj2CmO80VyBHnAMJ/h72AN1qzDaHFlhxh0Li/POc1bpDjiVjiUPgimHZWpi3VObxWLLn2zf+RH2lx0yXMccSEnkWvHp+Ll5apIUUS+vTlDo3niWpEfGZLl root@debian"; + }; }; + }; - }