2023-01-10 02:38:06 +01:00
|
|
|
# This setups a SSH server.
|
2023-07-18 23:36:58 +02:00
|
|
|
# TODO: persistence
|
2023-01-10 02:38:06 +01:00
|
|
|
{ outputs, config, lib, ... }:
|
|
|
|
let
|
|
|
|
# Record containing all the hosts
|
|
|
|
hosts = outputs.nixosConfigurations;
|
|
|
|
|
|
|
|
# Name of the current hostname
|
|
|
|
hostname = config.networking.hostName;
|
|
|
|
|
|
|
|
# Function from hostname to relative path to public ssh key
|
2023-08-17 09:31:46 +02:00
|
|
|
pubKey = host: ../../${host}/keys/ssh_host_ed25519_key.pub;
|
2023-01-10 02:38:06 +01:00
|
|
|
in
|
|
|
|
{
|
|
|
|
services.openssh = {
|
|
|
|
enable = true;
|
|
|
|
|
2023-06-15 20:08:20 +02:00
|
|
|
settings = {
|
2024-06-13 15:50:52 +02:00
|
|
|
PermitRootLogin = "no"; # Forbid root login through SSH.
|
|
|
|
PasswordAuthentication = false; # Use keys only.
|
2023-06-15 20:08:20 +02:00
|
|
|
};
|
2023-01-10 02:38:06 +01:00
|
|
|
|
|
|
|
# Automatically remove stale sockets
|
|
|
|
extraConfig = ''
|
|
|
|
StreamLocalBindUnlink yes
|
|
|
|
'';
|
|
|
|
|
|
|
|
# Generate ssh key
|
2023-04-27 01:08:20 +02:00
|
|
|
hostKeys =
|
|
|
|
let mkKey = type: path: extra: { inherit type path; } // extra;
|
|
|
|
in
|
|
|
|
[
|
2023-06-09 13:17:34 +02:00
|
|
|
(mkKey "ed25519" "/persist/state/etc/ssh/ssh_host_ed25519_key" { })
|
|
|
|
(mkKey "rsa" "/persist/state/etc/ssh/ssh_host_rsa_key" { bits = 4096; })
|
2023-04-27 01:08:20 +02:00
|
|
|
];
|
2023-01-10 02:38:06 +01:00
|
|
|
};
|
|
|
|
|
2023-07-21 18:30:48 +02:00
|
|
|
# TODO: is this safe? Can we ssh back and gain root access this way?
|
2024-06-13 15:50:52 +02:00
|
|
|
# Passwordless sudo when SSH'ing with keys
|
2023-09-28 02:13:35 +02:00
|
|
|
# security.pam.enableSSHAgentAuth = true;
|
2023-01-10 02:38:06 +01:00
|
|
|
|
2023-07-18 23:36:58 +02:00
|
|
|
# SSH on slow connections
|
|
|
|
programs.mosh.enable = true;
|
|
|
|
|
2023-01-10 02:38:06 +01:00
|
|
|
# Add each host in this repo to the knownHosts list
|
|
|
|
programs.ssh = {
|
2023-05-28 02:00:10 +02:00
|
|
|
knownHosts = lib.pipe hosts [
|
|
|
|
# attrsetof host -> attrsetof { ... }
|
|
|
|
(builtins.mapAttrs
|
|
|
|
# string -> host -> { ... }
|
|
|
|
(name: _: {
|
|
|
|
publicKeyFile = pubKey name;
|
|
|
|
extraHostNames = lib.optional (name == hostname) "localhost";
|
|
|
|
}))
|
|
|
|
|
|
|
|
# attrsetof { ... } -> attrsetof { ... }
|
2023-05-28 05:24:36 +02:00
|
|
|
(lib.attrsets.filterAttrs
|
2023-05-28 02:00:10 +02:00
|
|
|
# string -> { ... } -> bool
|
|
|
|
(_: { publicKeyFile, ... }: builtins.pathExists publicKeyFile))
|
|
|
|
];
|
2023-01-10 02:38:06 +01:00
|
|
|
};
|
2024-01-18 07:44:16 +01:00
|
|
|
|
2024-04-13 22:42:29 +02:00
|
|
|
|
|
|
|
# By default, this will ban failed ssh attempts
|
|
|
|
services.fail2ban.enable = true;
|
|
|
|
|
2024-01-18 07:44:16 +01:00
|
|
|
# Makes it easy to copy host keys at install time without messing up permissions
|
|
|
|
systemd.tmpfiles.rules = [ "d /persist/state/etc/ssh" ];
|
2023-01-10 02:38:06 +01:00
|
|
|
}
|