]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/ssh.nix
nix: update to nixos-24.11
[sourcephile-nix.git] / hosts / mermet / ssh.nix
1 { config, hostName, ... }:
2 {
3 networking.nftables.ruleset = ''
4 table inet filter {
5 chain input-net {
6 tcp dport 10022 counter accept comment "SSH (reverse to losurdo)"
7 }
8 }
9 '';
10
11 services.openssh = {
12 openFirewall = true;
13 settings.GatewayPorts = "clientspecified";
14 };
15 systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [
16 "host.key:${ssh/host.key.cred}"
17 ];
18
19 security.initrd.secrets."${hostName}/ssh/initrd.key" =
20 "hosts/${hostName}/ssh/initrd.key.gpg";
21 boot.initrd.network.ssh = {
22 enable = true;
23 port = 2222;
24 authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
25 hostKeys = [ "${config.security.initrd.stage1Dir}/${hostName}/ssh/initrd.key" ];
26 };
27 boot.initrd.network = {
28 enable = true;
29 # This will automatically load the zfs password prompt on login
30 # and kill the other prompt so boot can continue
31 # The pkill zfs kills the zfs load-key from the console
32 # allowing the boot to continue.
33 postCommands = ''
34 echo >>/root/.profile "zfs load-key rpool && pkill zfs"
35 '';
36 };
37 }