]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/ssh.nix
creds: avoid restarts by not using inputs.self
[sourcephile-nix.git] / hosts / mermet / ssh.nix
1 { config, ... }:
2 {
3 networking.nftables.ruleset = ''
4 table inet filter {
5 chain input-net {
6 tcp dport 10022 counter accept comment "SSH (reverse to losurdo)"
7 }
8 }
9 '';
10
11 services.openssh = {
12 gatewayPorts = "clientspecified";
13 openFirewall = true;
14 };
15 systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [
16 "host.key:${ssh/host.key.cred}"
17 ];
18
19 boot.initrd.network.ssh = {
20 enable = true;
21 # To prevent ssh from freaking out because a different host key is used,
22 # a different port for dropbear is useful
23 # (assuming the same host has also a normal sshd running)
24 port = 2222;
25 authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
26 hostKeys = [ "/root/initrd/ssh.key" ];
27 };
28 boot.initrd.network = {
29 enable = true;
30 # This will automatically load the zfs password prompt on login
31 # and kill the other prompt so boot can continue
32 # The pkill zfs kills the zfs load-key from the console
33 # allowing the boot to continue.
34 postCommands = ''
35 echo >>/root/.profile "zfs load-key rpool && pkill zfs"
36 '';
37 };
38 }