]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/networking/ssh.nix
losurdo: acme: move to LoadCredentialEncrypted=
[sourcephile-nix.git] / hosts / mermet / networking / ssh.nix
1 { pkgs, lib, config, ... }:
2 {
3 networking.nftables.ruleset = ''
4 table inet filter {
5 chain input-net {
6 tcp dport 10022 counter accept comment "SSH (reverse to losurdo)"
7 }
8 }
9 '';
10 services.openssh = {
11 gatewayPorts = "clientspecified";
12 openFirewall = true;
13 };
14 boot.initrd.network.ssh = {
15 enable = true;
16 # To prevent ssh from freaking out because a different host key is used,
17 # a different port for dropbear is useful
18 # (assuming the same host has also a normal sshd running)
19 port = 2222;
20 authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
21 hostKeys = [ "/root/initrd/ssh.key" ];
22 };
23 boot.initrd.network = {
24 enable = true;
25 # This will automatically load the zfs password prompt on login
26 # and kill the other prompt so boot can continue
27 # The pkill zfs kills the zfs load-key from the console
28 # allowing the boot to continue.
29 postCommands = ''
30 echo >>/root/.profile "zfs load-key rpool && pkill zfs"
31 '';
32 };
33 }