satellite/hosts/nixos/common/global/services/openssh.nix

# This setups a SSH server. 
# TODO: persistence
{ outputs, config, lib, ... }:
let
  # Record containing all the hosts
  hosts = outputs.nixosConfigurations;

  # Name of the current hostname
  hostname = config.networking.hostName;

  # Function from hostname to relative path to public ssh key
  pubKey = host: ../../${host}/keys/ssh_host_ed25519_key.pub;
in
{
  services.openssh = {
    enable = true;

    settings = {
      # Forbid root login through SSH.
      PermitRootLogin = "no";

      # Use keys only. Remove if you want to SSH using password (not recommended)
      PasswordAuthentication = false;
    };

    # Automatically remove stale sockets
    extraConfig = ''
      StreamLocalBindUnlink yes
    '';

    # Generate ssh key
    hostKeys =
      let mkKey = type: path: extra: { inherit type path; } // extra;
      in
      [
        (mkKey "ed25519" "/persist/state/etc/ssh/ssh_host_ed25519_key" { })
        (mkKey "rsa" "/persist/state/etc/ssh/ssh_host_rsa_key" { bits = 4096; })
      ];
  };

  # Passwordless sudo when SSH'ing with keys
  # TODO: is this safe? Can we ssh back and gain root access this way?
  # security.pam.enableSSHAgentAuth = true;

  # SSH on slow connections
  programs.mosh.enable = true;

  # Add each host in this repo to the knownHosts list
  programs.ssh = {
    knownHosts = lib.pipe hosts [
      # attrsetof host -> attrsetof { ... }
      (builtins.mapAttrs
        # string -> host -> { ... }
        (name: _: {
          publicKeyFile = pubKey name;
          extraHostNames = lib.optional (name == hostname) "localhost";
        }))

      # attrsetof { ... } -> attrsetof { ... }
      (lib.attrsets.filterAttrs
        # string -> { ... } -> bool
        (_: { publicKeyFile, ... }: builtins.pathExists publicKeyFile))
    ];
  };


  # By default, this will ban failed ssh attempts
  services.fail2ban.enable = true;

  # Makes it easy to copy host keys at install time without messing up permissions
  systemd.tmpfiles.rules = [ "d /persist/state/etc/ssh" ];
}
Added so much stuff 2023-01-10 02:38:06 +01:00			`# This setups a SSH server.`
Moved mosh to root 2023-07-18 23:36:58 +02:00			`# TODO: persistence`
Added so much stuff 2023-01-10 02:38:06 +01:00			`{ outputs, config, lib, ... }:`
			`let`
			`# Record containing all the hosts`
			`hosts = outputs.nixosConfigurations;`

			`# Name of the current hostname`
			`hostname = config.networking.hostName;`

			`# Function from hostname to relative path to public ssh key`
Integrated nixos-hardware, more ricing, and much more 2023-08-17 09:31:46 +02:00			`pubKey = host: ../../${host}/keys/ssh_host_ed25519_key.pub;`
Added so much stuff 2023-01-10 02:38:06 +01:00			`in`
			`{`
			`services.openssh = {`
			`enable = true;`

Backup 2023-06-15 20:08:20 +02:00			`settings = {`
			`# Forbid root login through SSH.`
			`PermitRootLogin = "no";`

			`# Use keys only. Remove if you want to SSH using password (not recommended)`
			`PasswordAuthentication = false;`
			`};`
Added so much stuff 2023-01-10 02:38:06 +01:00
			`# Automatically remove stale sockets`
			`extraConfig = ''`
			`StreamLocalBindUnlink yes`
			`'';`

			`# Generate ssh key`
Set up the basics of imperanence 2023-04-27 01:08:20 +02:00			`hostKeys =`
			`let mkKey = type: path: extra: { inherit type path; } // extra;`
			`in`
			`[`
Hyprpaper module 2023-06-09 13:17:34 +02:00			`(mkKey "ed25519" "/persist/state/etc/ssh/ssh_host_ed25519_key" { })`
			`(mkKey "rsa" "/persist/state/etc/ssh/ssh_host_rsa_key" { bits = 4096; })`
Set up the basics of imperanence 2023-04-27 01:08:20 +02:00			`];`
Added so much stuff 2023-01-10 02:38:06 +01:00			`};`

			`# Passwordless sudo when SSH'ing with keys`
Doc changes and more 2023-07-21 18:30:48 +02:00			`# TODO: is this safe? Can we ssh back and gain root access this way?`
Start the process of switching to nixpkgs-unstable 2023-09-28 02:13:35 +02:00			`# security.pam.enableSSHAgentAuth = true;`
Added so much stuff 2023-01-10 02:38:06 +01:00
Moved mosh to root 2023-07-18 23:36:58 +02:00			`# SSH on slow connections`
			`programs.mosh.enable = true;`

Added so much stuff 2023-01-10 02:38:06 +01:00			`# Add each host in this repo to the knownHosts list`
			`programs.ssh = {`
Started working on guest@euporie 2023-05-28 02:00:10 +02:00			`knownHosts = lib.pipe hosts [`
			`# attrsetof host -> attrsetof { ... }`
			`(builtins.mapAttrs`
			`# string -> host -> { ... }`
			`(name: _: {`
			`publicKeyFile = pubKey name;`
			`extraHostNames = lib.optional (name == hostname) "localhost";`
			`}))`

			`# attrsetof { ... } -> attrsetof { ... }`
Tried setting up a vm machine 2023-05-28 05:24:36 +02:00			`(lib.attrsets.filterAttrs`
Started working on guest@euporie 2023-05-28 02:00:10 +02:00			`# string -> { ... } -> bool`
			`(_: { publicKeyFile, ... }: builtins.pathExists publicKeyFile))`
			`];`
Added so much stuff 2023-01-10 02:38:06 +01:00			`};`
Set up initial whoogle config 2024-01-18 07:44:16 +01:00
Fail2ban, more wallpapers, better lua theming & more 2024-04-13 22:42:29 +02:00
			`# By default, this will ban failed ssh attempts`
			`services.fail2ban.enable = true;`

Set up initial whoogle config 2024-01-18 07:44:16 +01:00			`# Makes it easy to copy host keys at install time without messing up permissions`
			`systemd.tmpfiles.rules = [ "d /persist/state/etc/ssh" ];`
Added so much stuff 2023-01-10 02:38:06 +01:00			`}`