hosts/mermet/ssh.nix

   1 { config, ... }:
   2 {
   3   networking.nftables.ruleset = ''
   4     table inet filter {
   5       chain input-net {
   6         tcp dport 10022 counter accept comment "SSH (reverse to losurdo)"
   7       }
   8     }
   9   '';
  10
  11   services.openssh = {
  12     openFirewall = true;
  13     settings.GatewayPorts = "clientspecified";
  14   };
  15   systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [
  16     "host.key:${ssh/host.key.cred}"
  17   ];
  18
  19   boot.initrd.network.ssh = {
  20     enable = true;
  21     # To prevent ssh from freaking out because a different host key is used,
  22     # a different port for dropbear is useful
  23     # (assuming the same host has also a normal sshd running)
  24     port = 2222;
  25     authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
  26     hostKeys = [ "/root/initrd/ssh.key" ];
  27   };
  28   boot.initrd.network = {
  29     enable = true;
  30     # This will automatically load the zfs password prompt on login
  31     # and kill the other prompt so boot can continue
  32     # The pkill zfs kills the zfs load-key from the console
  33     # allowing the boot to continue.
  34     postCommands = ''
  35       echo >>/root/.profile "zfs load-key rpool && pkill zfs"
  36     '';
  37   };
  38 }