]> Git — Sourcephile - sourcephile-nix.git/blob - machines/losurdo/networking/ssh.nix
wireguard: improve initrd setup
[sourcephile-nix.git] / machines / losurdo / networking / ssh.nix
1 { pkgs, lib, config, machines, ... }:
2 let
3 inherit (config.security) gnupg;
4 inherit (config.users) users;
5 initrdKey = "initrd/ssh.key";
6 in
7 {
8 systemd.services.ssh-mermet-reverse = {
9 after = [ "network-online.target" ];
10 wantedBy = [ "multi-user.target" ];
11 serviceConfig = {
12 Type = "simple";
13 ExecStart = ''${pkgs.openssh}/bin/ssh -v -g -N -T \
14 -o ServerAliveInterval=10 \
15 -o ExitOnForwardFailure=yes \
16 -R *:10022:localhost:22 \
17 ${machines.mermet.extraArgs.ipv4}
18 '';
19 Restart = "always";
20 RestartSec = "5s";
21 };
22 };
23
24 installer.ssh-nixos.script = lib.mkBefore ''
25 # Send the SSH key of the initrd
26 gpg --decrypt '${gnupg.store}/${initrdKey}.gpg' |
27 ssh '${config.installer.ssh-nixos.target}' \
28 install -D -m 400 -o root -g root /dev/stdin /root/${initrdKey}
29 '';
30 boot.initrd.network.ssh = {
31 enable = true;
32 # To prevent ssh from freaking out because a different host key is used,
33 # a different port for dropbear is useful
34 # (assuming the same host has also a normal sshd running)
35 port = 2222;
36 authorizedKeys = users.root.openssh.authorizedKeys.keys;
37 hostKeys = [ "/root/${initrdKey}" ];
38 };
39 }