]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/networking/ssh.nix
mermet: fail2ban: add intranet on the ignoreIP
[sourcephile-nix.git] / hosts / losurdo / networking / ssh.nix
1 { pkgs, lib, config, hosts, ... }:
2 let
3 inherit (config.security) gnupg;
4 inherit (config.users) users;
5 in
6 {
7 systemd.services.ssh-mermet-reverse = {
8 after = [ "network-online.target" ];
9 wantedBy = [ "multi-user.target" ];
10 serviceConfig = {
11 Type = "simple";
12 # Require services.openssh.gatewayPorts = "clientspecified";
13 # on the target.
14 ExecStart = ''${pkgs.openssh}/bin/ssh -v -g -N -T \
15 -o ServerAliveInterval=10 \
16 -o ExitOnForwardFailure=yes \
17 -R *:10022:localhost:22 \
18 ${hosts.mermet.extraArgs.ipv4}
19 '';
20 Restart = "always";
21 RestartSec = "5s";
22 };
23 };
24 boot.initrd.network.ssh = {
25 enable = true;
26 port = 2222;
27 authorizedKeys = users.root.openssh.authorizedKeys.keys;
28 hostKeys = [ "/root/initrd/ssh.key" ];
29 };
30 services.openssh = {
31 forwardX11 = true;
32 };
33 programs.ssh = {
34 extraConfig = ''
35 Compression = yes
36 '';
37 };
38 services.upnpc.redirections =
39 [
40 { description = "SSH";
41 externalPort = 22; protocol = "TCP"; duration = 30 * 60;
42 service.wantedBy = ["sshd.service"];
43 service.partOf = ["sshd.service"];
44 }
45 { description = "Mosh"; externalPort = 60000; protocol = "UDP"; duration = 30 * 60; service.wantedBy = ["sshd.service"]; }
46 { description = "Mosh"; externalPort = 60001; protocol = "UDP"; duration = 30 * 60; service.wantedBy = ["sshd.service"]; }
47 { description = "Mosh"; externalPort = 60002; protocol = "UDP"; duration = 30 * 60; service.wantedBy = ["sshd.service"]; }
48 { description = "Mosh"; externalPort = 60003; protocol = "UDP"; duration = 30 * 60; service.wantedBy = ["sshd.service"]; }
49 ] ++ [
50 { description = "SSH (boot)";
51 externalPort = 2222; protocol = "TCP"; duration = 0;
52 service.wantedBy = ["sshd.service"];
53 }
54 ];
55 }