mermet: nebula: sourcephile.fr: adapt to new conventions

[sourcephile-nix.git] / hosts / losurdo / ssh.nix

diff --git a/hosts/losurdo/ssh.nix b/hosts/losurdo/ssh.nix
index 7e9443e2175db9f282345f4ddcb9a1f0ae1c8124..6152907967a3ca69142c26eebbed928f681d3b4c 100644 (file)
--- a/hosts/losurdo/ssh.nix
+++ b/hosts/losurdo/ssh.nix
@@ -1,39 +1,51 @@
-{ pkgs, lib, config, hosts, ... }:
 {
+  pkgs,
+  lib,
+  config,
+  hosts,
+  hostName,
+  ...
+}:
+{
+  services.openssh = {
+    openFirewall = true;
+    settings.X11Forwarding = true;
+  };
+  systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [
+    "host.key:${ssh/host.key.cred}"
+  ];
+  programs.ssh = {
+    extraConfig = '''';
+  };
+
+  security.initrd.secrets."${hostName}/ssh/initrd.key" = "hosts/${hostName}/ssh/initrd.key.gpg";
+  boot.initrd.network.ssh = {
+    enable = true;
+    port = 2222;
+    authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
+    hostKeys = [ "${config.security.initrd.stage1Dir}/${hostName}/ssh/initrd.key" ];
+    extraConfig = '''';
+  };
+
   systemd.services.ssh-mermet-reverse = {
-    after = [ "network-online.target" ];
+    #after = [ "network-online.target" ];
     wantedBy = [ "multi-user.target" ];
     serviceConfig = {
       Type = "simple";
       # Require services.openssh.gatewayPorts = "clientspecified";
       # on the target.
-      ExecStart = ''${pkgs.openssh}/bin/ssh -v -g -N -T \
-      -o ServerAliveInterval=10 \
-      -o ExitOnForwardFailure=yes \
-      -R *:10022:localhost:22 \
-      ${hosts.mermet._module.args.ipv4}
-    '';
+      ExecStart = ''
+        ${pkgs.openssh}/bin/ssh -v -g -N -T \
+              -o ServerAliveInterval=10 \
+              -o ExitOnForwardFailure=yes \
+              -R *:10022:localhost:22 \
+              ${hosts.mermet._module.args.ipv4}
+      '';
       Restart = "always";
       RestartSec = "5s";
     };
   };
-  boot.initrd.network.ssh = {
-    enable = true;
-    port = 2222;
-    authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
-    hostKeys = [ "/root/initrd/ssh.key" ];
-    extraConfig = ''
-  '';
-  };
-  services.openssh = {
-    openFirewall = true;
-    forwardX11 = true;
-  };
-  programs.ssh = {
-    extraConfig = ''
-      Compression = yes
-    '';
-  };
+  services.upnpc.enable = true;
   services.upnpc.redirections =
     [
       {
@@ -44,11 +56,36 @@
         service.wantedBy = [ "sshd.service" ];
         service.partOf = [ "sshd.service" ];
       }
-      { description = "Mosh"; externalPort = 60000; protocol = "UDP"; duration = 30 * 60; service.wantedBy = [ "sshd.service" ]; }
-      { description = "Mosh"; externalPort = 60001; protocol = "UDP"; duration = 30 * 60; service.wantedBy = [ "sshd.service" ]; }
-      { description = "Mosh"; externalPort = 60002; protocol = "UDP"; duration = 30 * 60; service.wantedBy = [ "sshd.service" ]; }
-      { description = "Mosh"; externalPort = 60003; protocol = "UDP"; duration = 30 * 60; service.wantedBy = [ "sshd.service" ]; }
-    ] ++ [
+      {
+        description = "Mosh";
+        externalPort = 60000;
+        protocol = "UDP";
+        duration = 30 * 60;
+        service.wantedBy = [ "sshd.service" ];
+      }
+      {
+        description = "Mosh";
+        externalPort = 60001;
+        protocol = "UDP";
+        duration = 30 * 60;
+        service.wantedBy = [ "sshd.service" ];
+      }
+      {
+        description = "Mosh";
+        externalPort = 60002;
+        protocol = "UDP";
+        duration = 30 * 60;
+        service.wantedBy = [ "sshd.service" ];
+      }
+      {
+        description = "Mosh";
+        externalPort = 60003;
+        protocol = "UDP";
+        duration = 30 * 60;
+        service.wantedBy = [ "sshd.service" ];
+      }
+    ]
+    ++ [
       {
         description = "SSH (boot)";
         externalPort = 2222;