hosts/mermet/ssh.nix

   1 { config, hostName, ... }:
   2 {
   3   networking.nftables.ruleset = ''
   4     table inet filter {
   5       chain input-net {
   6         tcp dport 10022 counter accept comment "SSH (reverse to losurdo)"
   7       }
   8     }
   9   '';
  10
  11   services.openssh = {
  12     openFirewall = true;
  13     settings.GatewayPorts = "clientspecified";
  14   };
  15   systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [
  16     "host.key:${ssh/host.key.cred}"
  17   ];
  18
  19   security.initrd.secrets."${hostName}/ssh/initrd.key" =
  20     "hosts/${hostName}/ssh/initrd.key.gpg";
  21   boot.initrd.network.ssh = {
  22     enable = true;
  23     port = 2222;
  24     authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
  25     hostKeys = [ "${config.security.initrd.stage1Dir}/${hostName}/ssh/initrd.key" ];
  26   };
  27   boot.initrd.network = {
  28     enable = true;
  29     # This will automatically load the zfs password prompt on login
  30     # and kill the other prompt so boot can continue
  31     # The pkill zfs kills the zfs load-key from the console
  32     # allowing the boot to continue.
  33     postCommands = ''
  34       echo >>/root/.profile "zfs load-key rpool && pkill zfs"
  35     '';
  36   };
  37 }