hosts/losurdo/ssh.nix

   1 {
   2   pkgs,
   3   lib,
   4   config,
   5   hosts,
   6   hostName,
   7   ...
   8 }:
   9 {
  10   services.openssh = {
  11     openFirewall = true;
  12     settings.X11Forwarding = true;
  13   };
  14   systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [
  15     "host.key:${ssh/host.key.cred}"
  16   ];
  17   programs.ssh = {
  18     extraConfig = '''';
  19   };
  20
  21   security.initrd.secrets."${hostName}/ssh/initrd.key" = "hosts/${hostName}/ssh/initrd.key.gpg";
  22   boot.initrd.network.ssh = {
  23     enable = true;
  24     port = 2222;
  25     authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
  26     hostKeys = [ "${config.security.initrd.stage1Dir}/${hostName}/ssh/initrd.key" ];
  27     extraConfig = '''';
  28   };
  29
  30   systemd.services.ssh-mermet-reverse = {
  31     #after = [ "network-online.target" ];
  32     wantedBy = [ "multi-user.target" ];
  33     serviceConfig = {
  34       Type = "simple";
  35       # Require services.openssh.gatewayPorts = "clientspecified";
  36       # on the target.
  37       ExecStart = ''
  38         ${pkgs.openssh}/bin/ssh -v -g -N -T \
  39               -o ServerAliveInterval=10 \
  40               -o ExitOnForwardFailure=yes \
  41               -R *:10022:localhost:22 \
  42               ${hosts.mermet._module.args.ipv4}
  43       '';
  44       Restart = "always";
  45       RestartSec = "5s";
  46     };
  47   };
  48   services.upnpc.enable = true;
  49   services.upnpc.redirections =
  50     [
  51       {
  52         description = "SSH";
  53         externalPort = 22;
  54         protocol = "TCP";
  55         duration = 30 * 60;
  56         service.wantedBy = [ "sshd.service" ];
  57         service.partOf = [ "sshd.service" ];
  58       }
  59       {
  60         description = "Mosh";
  61         externalPort = 60000;
  62         protocol = "UDP";
  63         duration = 30 * 60;
  64         service.wantedBy = [ "sshd.service" ];
  65       }
  66       {
  67         description = "Mosh";
  68         externalPort = 60001;
  69         protocol = "UDP";
  70         duration = 30 * 60;
  71         service.wantedBy = [ "sshd.service" ];
  72       }
  73       {
  74         description = "Mosh";
  75         externalPort = 60002;
  76         protocol = "UDP";
  77         duration = 30 * 60;
  78         service.wantedBy = [ "sshd.service" ];
  79       }
  80       {
  81         description = "Mosh";
  82         externalPort = 60003;
  83         protocol = "UDP";
  84         duration = 30 * 60;
  85         service.wantedBy = [ "sshd.service" ];
  86       }
  87     ]
  88     ++ [
  89       {
  90         description = "SSH (boot)";
  91         externalPort = 2222;
  92         protocol = "TCP";
  93         duration = 0;
  94         service.wantedBy = [ "sshd.service" ];
  95       }
  96     ];
  97 }