{ pkgs, lib, config, hosts, hostName, ... }:
{
services.openssh = {
openFirewall = true;
settings.X11Forwarding = true;
};
systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [
"host.key:${ssh/host.key.cred}"
];
programs.ssh = {
extraConfig = ''
'';
};
security.initrd.secrets."${hostName}/ssh/initrd.key" =
"hosts/${hostName}/ssh/initrd.key.gpg";
boot.initrd.network.ssh = {
enable = true;
port = 2222;
authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
hostKeys = [ "${config.security.initrd.stage1Dir}/${hostName}/ssh/initrd.key" ];
extraConfig = ''
'';
};
systemd.services.ssh-mermet-reverse = {
after = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
# Require services.openssh.gatewayPorts = "clientspecified";
# on the target.
ExecStart = ''${pkgs.openssh}/bin/ssh -v -g -N -T \
-o ServerAliveInterval=10 \
-o ExitOnForwardFailure=yes \
-R *:10022:localhost:22 \
${hosts.mermet._module.args.ipv4}
'';
Restart = "always";
RestartSec = "5s";
};
};
services.upnpc.enable = true;
services.upnpc.redirections =
[
{
description = "SSH";
externalPort = 22;
protocol = "TCP";
duration = 30 * 60;
service.wantedBy = [ "sshd.service" ];
service.partOf = [ "sshd.service" ];
}
{ description = "Mosh"; externalPort = 60000; protocol = "UDP"; duration = 30 * 60; service.wantedBy = [ "sshd.service" ]; }
{ description = "Mosh"; externalPort = 60001; protocol = "UDP"; duration = 30 * 60; service.wantedBy = [ "sshd.service" ]; }
{ description = "Mosh"; externalPort = 60002; protocol = "UDP"; duration = 30 * 60; service.wantedBy = [ "sshd.service" ]; }
{ description = "Mosh"; externalPort = 60003; protocol = "UDP"; duration = 30 * 60; service.wantedBy = [ "sshd.service" ]; }
] ++ [
{
description = "SSH (boot)";
externalPort = 2222;
protocol = "TCP";
duration = 0;
service.wantedBy = [ "sshd.service" ];
}
];
}