diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2024-08-16 21:41:20 +0200 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2024-08-16 21:41:20 +0200 |
commit | 43090b716dd0d03a1057f42c98c12b8595ebd47d (patch) | |
tree | fda5bb9222f44df6aa76cbfd9afbab9daebd07e8 | |
parent | d4f1eb06046c1c5f65ae7b1e8e1c0165ab2276ed (diff) | |
download | nixos-43090b716dd0d03a1057f42c98c12b8595ebd47d.tar nixos-43090b716dd0d03a1057f42c98c12b8595ebd47d.tar.gz nixos-43090b716dd0d03a1057f42c98c12b8595ebd47d.tar.bz2 nixos-43090b716dd0d03a1057f42c98c12b8595ebd47d.tar.xz nixos-43090b716dd0d03a1057f42c98c12b8595ebd47d.zip |
...
-rw-r--r-- | system-profiles/openssh/default.nix | 47 |
1 files changed, 37 insertions, 10 deletions
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix index 098e2b25..65635912 100644 --- a/system-profiles/openssh/default.nix +++ b/system-profiles/openssh/default.nix | |||
@@ -64,6 +64,7 @@ in { | |||
64 | systemd.user.services."ssh-agent".enable = mkForce false; # ssh-agent should be done via home-manager | 64 | systemd.user.services."ssh-agent".enable = mkForce false; # ssh-agent should be done via home-manager |
65 | 65 | ||
66 | services.openssh = mkIf cfg.enable { | 66 | services.openssh = mkIf cfg.enable { |
67 | startWhenNeeded = true; | ||
67 | hostKeys = mkIf cfg.staticHostKeys (mkForce []); # done manually | 68 | hostKeys = mkIf cfg.staticHostKeys (mkForce []); # done manually |
68 | settings = { | 69 | settings = { |
69 | inherit Ciphers Macs KexAlgorithms; | 70 | inherit Ciphers Macs KexAlgorithms; |
@@ -77,21 +78,36 @@ in { | |||
77 | PasswordAuthentication = mkDefault false; | 78 | PasswordAuthentication = mkDefault false; |
78 | KbdInteractiveAuthentication = mkDefault false; | 79 | KbdInteractiveAuthentication = mkDefault false; |
79 | }; | 80 | }; |
80 | moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") "/run/credentials/sshd.service/ssh_moduli"; | ||
81 | extraConfig = optionalString cfg.staticHostKeys '' | 81 | extraConfig = optionalString cfg.staticHostKeys '' |
82 | HostKey /run/credentials/sshd.service/ssh_host_ed25519_key | ||
83 | HostCertificate ${./known-hosts + "/${hostName}/ed25519-cert.pub"} | 82 | HostCertificate ${./known-hosts + "/${hostName}/ed25519-cert.pub"} |
84 | HostKey /run/credentials/sshd.service/ssh_host_rsa_key | ||
85 | HostCertificate ${./known-hosts + "/${hostName}/rsa-cert.pub"} | 83 | HostCertificate ${./known-hosts + "/${hostName}/rsa-cert.pub"} |
86 | ''; | 84 | ''; |
87 | }; | 85 | }; |
88 | 86 | ||
89 | systemd.services.sshd.serviceConfig.LoadCredential = | 87 | systemd.services = mkIf cfg.enable { |
90 | lib.optional (config.sops.secrets ? "ssh_moduli") "ssh_moduli:${config.sops.secrets.ssh_moduli.path}" | 88 | "sshd@".serviceConfig = { |
91 | ++ lib.optionals cfg.staticHostKeys [ | 89 | ExecStart = mkForce (concatStringsSep " " ( |
92 | "ssh_host_ed25519_key:${config.sops.secrets.ssh_host_ed25519_key.path}" | 90 | [ "-${cfg.package}/bin/sshd" "-i" "-D" "-f" "/etc/ssh/sshd_config" ] |
93 | "ssh_host_rsa_key:${config.sops.secrets.ssh_host_rsa_key.path}" | 91 | ++ optional (config.sops.secrets ? "ssh_moduli") ''-o "moduliFile ''${CREDENTIALS_DIRECTORY}/ssh_moduli"'' |
94 | ]; | 92 | ++ optional cfg.staticHostKeys ''-o "HostKey ''${CREDENTIALS_DIRECTORY}/ssh_host_ed25519_key" -o "HostKey ''${CREDENTIALS_DIRECTORY}/ssh_host_rsa_key"'' |
93 | )); | ||
94 | LoadCredential = | ||
95 | lib.optional (config.sops.secrets ? "ssh_moduli") "ssh_moduli:${config.sops.secrets.ssh_moduli.path}" | ||
96 | ++ lib.optionals cfg.staticHostKeys [ | ||
97 | "ssh_host_ed25519_key:${config.sops.secrets.ssh_host_ed25519_key.path}" | ||
98 | "ssh_host_rsa_key:${config.sops.secrets.ssh_host_rsa_key.path}" | ||
99 | ]; | ||
100 | }; | ||
101 | }; | ||
102 | systemd.sockets."sshd@run-ssh\\x2dunix\\x2dlocal-socket" = mkIf cfg.enable { | ||
103 | wantedBy = ["sockets.target"]; | ||
104 | listenStreams = ["/run/ssh-unix-local/socket"]; | ||
105 | socketConfig = { | ||
106 | Accept = true; | ||
107 | PollLimitIntervalSec = "30s"; | ||
108 | PollLimitBurst = 50; | ||
109 | }; | ||
110 | }; | ||
95 | 111 | ||
96 | programs.ssh = { | 112 | programs.ssh = { |
97 | knownHosts = { | 113 | knownHosts = { |
@@ -116,6 +132,17 @@ in { | |||
116 | CASignatureAlgorithms ${concatStringsSep "," CASignatureAlgorithms} | 132 | CASignatureAlgorithms ${concatStringsSep "," CASignatureAlgorithms} |
117 | PasswordAuthentication no | 133 | PasswordAuthentication no |
118 | KbdInteractiveAuthentication no | 134 | KbdInteractiveAuthentication no |
135 | |||
136 | Host unix/* vsock/* vsock-mux/* | ||
137 | ProxyCommand ${config.systemd.package}/lib/systemd/systemd-ssh-proxy %h %p | ||
138 | ProxyUseFdpass yes | ||
139 | CheckHostIP no | ||
140 | |||
141 | Host .host ${config.networking.hostName} ${config.networking.hostName}.yggdrasil localhost ::1 127.0.0.0/8 | ||
142 | HostKeyAlias ${config.networking.hostName}.yggdrasil | ||
143 | ProxyCommand ${config.systemd.package}/lib/systemd/systemd-ssh-proxy unix/run/ssh-unix-local/socket %p | ||
144 | ProxyUseFdpass yes | ||
145 | CheckHostIP no | ||
119 | ''; | 146 | ''; |
120 | }; | 147 | }; |
121 | 148 | ||
@@ -135,7 +162,7 @@ in { | |||
135 | }; | 162 | }; |
136 | 163 | ||
137 | environment.systemPackages = mkIf cfg.enable (with pkgs; [ | 164 | environment.systemPackages = mkIf cfg.enable (with pkgs; [ |
138 | alacritty.terminfo | 165 | kitty.terminfo |
139 | ]); | 166 | ]); |
140 | }; | 167 | }; |
141 | } | 168 | } |