0e3e67554a
All checks were successful
Build all NixOS Configurations / nix build (push) Successful in 8m17s
74 lines
1.7 KiB
Nix
74 lines
1.7 KiB
Nix
{
|
|
pkgs,
|
|
config,
|
|
lib,
|
|
assets,
|
|
...
|
|
}:
|
|
with lib;
|
|
with types;
|
|
let
|
|
cfg = config.components.network.sshd;
|
|
|
|
# maybe ascii-image-converter is also nice here
|
|
sshBanner = pkgs.runCommand "ssh-banner" { nativeBuildInputs = [ pkgs.boxes ]; } ''
|
|
echo "${config.networking.hostName}" | boxes -d ansi -s 80x1 -a r > $out
|
|
'';
|
|
|
|
in
|
|
{
|
|
|
|
imports = [
|
|
./known-hosts-public.nix
|
|
./known-hosts-manual.nix
|
|
./known-hosts-zerotier.nix
|
|
];
|
|
|
|
options.components.network.sshd = {
|
|
enable = mkOption {
|
|
type = bool;
|
|
default = true;
|
|
};
|
|
onlyTincAccess = mkOption {
|
|
type = bool;
|
|
default = false;
|
|
description = ''
|
|
make sure ssh is only available trough the tinc
|
|
'';
|
|
};
|
|
};
|
|
|
|
config = mkMerge [
|
|
|
|
(mkIf cfg.enable {
|
|
|
|
environment.systemPackages = [
|
|
pkgs.sshfs
|
|
pkgs.mosh
|
|
];
|
|
|
|
services.openssh = {
|
|
enable = true;
|
|
settings.X11Forwarding = false;
|
|
settings.PasswordAuthentication = false;
|
|
|
|
# We might want to remove this once, openssh is fixed everywhere:
|
|
# Workaround for CVE-2024-6387 and CVE-2024-6409
|
|
# https://github.com/NixOS/nixpkgs/pull/323753#issuecomment-2199762128
|
|
# settings.LoginGraceTime = 0;
|
|
};
|
|
|
|
# todo enable again when I can it's possible to set the `-q` ssh option in clan
|
|
#services.openssh.banner = builtins.readFile sshBanner;
|
|
|
|
})
|
|
|
|
(mkIf (cfg.onlyTincAccess && cfg.enable) {
|
|
# fixme: this is not working
|
|
networking.firewall.extraCommands = ''
|
|
iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0
|
|
'';
|
|
})
|
|
];
|
|
|
|
}
|