-{ pkgs, lib, config, hosts, ... }:
+{ pkgs, lib, config, hosts, hostName, ... }:
{
-systemd.services.ssh-mermet-reverse = {
- after = [ "network-online.target" ];
- wantedBy = [ "multi-user.target" ];
- serviceConfig = {
- Type = "simple";
- # Require services.openssh.gatewayPorts = "clientspecified";
- # on the target.
- ExecStart = ''${pkgs.openssh}/bin/ssh -v -g -N -T \
+ services.openssh = {
+ openFirewall = true;
+ settings.X11Forwarding = true;
+ };
+ systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [
+ "host.key:${ssh/host.key.cred}"
+ ];
+ programs.ssh = {
+ extraConfig = ''
+ '';
+ };
+
+ security.initrd.secrets."${hostName}/ssh/initrd.key" =
+ "hosts/${hostName}/ssh/initrd.key.gpg";
+ boot.initrd.network.ssh = {
+ enable = true;
+ port = 2222;
+ authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
+ hostKeys = [ "${config.security.initrd.stage1Dir}/${hostName}/ssh/initrd.key" ];
+ extraConfig = ''
+ '';
+ };
+
+ systemd.services.ssh-mermet-reverse = {
+ after = [ "network-online.target" ];
+ wantedBy = [ "multi-user.target" ];
+ serviceConfig = {
+ Type = "simple";
+ # Require services.openssh.gatewayPorts = "clientspecified";
+ # on the target.
+ ExecStart = ''${pkgs.openssh}/bin/ssh -v -g -N -T \
-o ServerAliveInterval=10 \
-o ExitOnForwardFailure=yes \
-R *:10022:localhost:22 \
${hosts.mermet._module.args.ipv4}
'';
- Restart = "always";
- RestartSec = "5s";
+ Restart = "always";
+ RestartSec = "5s";
+ };
};
-};
-boot.initrd.network.ssh = {
- enable = true;
- port = 2222;
- authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
- hostKeys = [ "/root/initrd/ssh.key" ];
- extraConfig = ''
- '';
-};
-services.openssh = {
- openFirewall = true;
- forwardX11 = true;
-};
-programs.ssh = {
- extraConfig = ''
- Compression = yes
- '';
-};
-services.upnpc.redirections =
- [
- { description = "SSH";
- externalPort = 22; protocol = "TCP"; duration = 30 * 60;
- service.wantedBy = ["sshd.service"];
- service.partOf = ["sshd.service"];
- }
- { description = "Mosh"; externalPort = 60000; protocol = "UDP"; duration = 30 * 60; service.wantedBy = ["sshd.service"]; }
- { description = "Mosh"; externalPort = 60001; protocol = "UDP"; duration = 30 * 60; service.wantedBy = ["sshd.service"]; }
- { description = "Mosh"; externalPort = 60002; protocol = "UDP"; duration = 30 * 60; service.wantedBy = ["sshd.service"]; }
- { description = "Mosh"; externalPort = 60003; protocol = "UDP"; duration = 30 * 60; service.wantedBy = ["sshd.service"]; }
- ] ++ [
- { description = "SSH (boot)";
- externalPort = 2222; protocol = "TCP"; duration = 0;
- service.wantedBy = ["sshd.service"];
- }
- ];
+ services.upnpc.enable = true;
+ services.upnpc.redirections =
+ [
+ {
+ description = "SSH";
+ externalPort = 22;
+ protocol = "TCP";
+ duration = 30 * 60;
+ service.wantedBy = [ "sshd.service" ];
+ service.partOf = [ "sshd.service" ];
+ }
+ { description = "Mosh"; externalPort = 60000; protocol = "UDP"; duration = 30 * 60; service.wantedBy = [ "sshd.service" ]; }
+ { description = "Mosh"; externalPort = 60001; protocol = "UDP"; duration = 30 * 60; service.wantedBy = [ "sshd.service" ]; }
+ { description = "Mosh"; externalPort = 60002; protocol = "UDP"; duration = 30 * 60; service.wantedBy = [ "sshd.service" ]; }
+ { description = "Mosh"; externalPort = 60003; protocol = "UDP"; duration = 30 * 60; service.wantedBy = [ "sshd.service" ]; }
+ ] ++ [
+ {
+ description = "SSH (boot)";
+ externalPort = 2222;
+ protocol = "TCP";
+ duration = 0;
+ service.wantedBy = [ "sshd.service" ];
+ }
+ ];
}
sourcephile / git / sourcephile-nix.git / blobdiff