1
Fork 0
satellite/hosts/nixos/common/global/services/openssh.nix

70 lines
1.9 KiB
Nix
Raw Normal View History

2023-01-10 02:38:06 +01:00
# This setups a SSH server.
2023-07-18 23:36:58 +02:00
# TODO: persistence
2023-01-10 02:38:06 +01:00
{ outputs, config, lib, ... }:
let
# Record containing all the hosts
hosts = outputs.nixosConfigurations;
# Name of the current hostname
hostname = config.networking.hostName;
# Function from hostname to relative path to public ssh key
pubKey = host: ../../${host}/keys/ssh_host_ed25519_key.pub;
2023-01-10 02:38:06 +01:00
in
{
services.openssh = {
enable = true;
2023-06-15 20:08:20 +02:00
settings = {
2024-06-13 15:50:52 +02:00
PermitRootLogin = "no"; # Forbid root login through SSH.
PasswordAuthentication = false; # Use keys only.
2023-06-15 20:08:20 +02:00
};
2023-01-10 02:38:06 +01:00
# Automatically remove stale sockets
extraConfig = ''
StreamLocalBindUnlink yes
'';
# Generate ssh key
2023-04-27 01:08:20 +02:00
hostKeys =
let mkKey = type: path: extra: { inherit type path; } // extra;
in
[
2023-06-09 13:17:34 +02:00
(mkKey "ed25519" "/persist/state/etc/ssh/ssh_host_ed25519_key" { })
(mkKey "rsa" "/persist/state/etc/ssh/ssh_host_rsa_key" { bits = 4096; })
2023-04-27 01:08:20 +02:00
];
2023-01-10 02:38:06 +01:00
};
2023-07-21 18:30:48 +02:00
# TODO: is this safe? Can we ssh back and gain root access this way?
2024-06-13 15:50:52 +02:00
# Passwordless sudo when SSH'ing with keys
# security.pam.enableSSHAgentAuth = true;
2023-01-10 02:38:06 +01:00
2023-07-18 23:36:58 +02:00
# SSH on slow connections
programs.mosh.enable = true;
2023-01-10 02:38:06 +01:00
# Add each host in this repo to the knownHosts list
programs.ssh = {
2023-05-28 02:00:10 +02:00
knownHosts = lib.pipe hosts [
# attrsetof host -> attrsetof { ... }
(builtins.mapAttrs
# string -> host -> { ... }
(name: _: {
publicKeyFile = pubKey name;
extraHostNames = lib.optional (name == hostname) "localhost";
}))
# attrsetof { ... } -> attrsetof { ... }
2023-05-28 05:24:36 +02:00
(lib.attrsets.filterAttrs
2023-05-28 02:00:10 +02:00
# string -> { ... } -> bool
(_: { publicKeyFile, ... }: builtins.pathExists publicKeyFile))
];
2023-01-10 02:38:06 +01:00
};
2024-01-18 07:44:16 +01:00
# By default, this will ban failed ssh attempts
services.fail2ban.enable = true;
2024-01-18 07:44:16 +01:00
# Makes it easy to copy host keys at install time without messing up permissions
systemd.tmpfiles.rules = [ "d /persist/state/etc/ssh" ];
2023-01-10 02:38:06 +01:00
}