]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/ssh.nix
knot: sourcephile.fr: setup lebureau as a secondary NS
[sourcephile-nix.git] / hosts / losurdo / ssh.nix
1 { pkgs, lib, config, hosts, hostName, ... }:
2 {
3 services.openssh = {
4 openFirewall = true;
5 settings.X11Forwarding = true;
6 };
7 systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [
8 "host.key:${ssh/host.key.cred}"
9 ];
10 programs.ssh = {
11 extraConfig = ''
12 '';
13 };
14
15 security.initrd.secrets."${hostName}/ssh/initrd.key" =
16 "hosts/${hostName}/ssh/initrd.key.gpg";
17 boot.initrd.network.ssh = {
18 enable = true;
19 port = 2222;
20 authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
21 hostKeys = [ "${config.security.initrd.stage1Dir}/${hostName}/ssh/initrd.key" ];
22 extraConfig = ''
23 '';
24 };
25
26 systemd.services.ssh-mermet-reverse = {
27 after = [ "network-online.target" ];
28 wantedBy = [ "multi-user.target" ];
29 serviceConfig = {
30 Type = "simple";
31 # Require services.openssh.gatewayPorts = "clientspecified";
32 # on the target.
33 ExecStart = ''${pkgs.openssh}/bin/ssh -v -g -N -T \
34 -o ServerAliveInterval=10 \
35 -o ExitOnForwardFailure=yes \
36 -R *:10022:localhost:22 \
37 ${hosts.mermet._module.args.ipv4}
38 '';
39 Restart = "always";
40 RestartSec = "5s";
41 };
42 };
43 services.upnpc.enable = true;
44 services.upnpc.redirections =
45 [
46 {
47 description = "SSH";
48 externalPort = 22;
49 protocol = "TCP";
50 duration = 30 * 60;
51 service.wantedBy = [ "sshd.service" ];
52 service.partOf = [ "sshd.service" ];
53 }
54 { description = "Mosh"; externalPort = 60000; protocol = "UDP"; duration = 30 * 60; service.wantedBy = [ "sshd.service" ]; }
55 { description = "Mosh"; externalPort = 60001; protocol = "UDP"; duration = 30 * 60; service.wantedBy = [ "sshd.service" ]; }
56 { description = "Mosh"; externalPort = 60002; protocol = "UDP"; duration = 30 * 60; service.wantedBy = [ "sshd.service" ]; }
57 { description = "Mosh"; externalPort = 60003; protocol = "UDP"; duration = 30 * 60; service.wantedBy = [ "sshd.service" ]; }
58 ] ++ [
59 {
60 description = "SSH (boot)";
61 externalPort = 2222;
62 protocol = "TCP";
63 duration = 0;
64 service.wantedBy = [ "sshd.service" ];
65 }
66 ];
67 }