summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2024-08-16 21:41:20 +0200
committerGregor Kleen <gkleen@yggdrasil.li>2024-08-16 21:41:20 +0200
commit43090b716dd0d03a1057f42c98c12b8595ebd47d (patch)
treefda5bb9222f44df6aa76cbfd9afbab9daebd07e8
parentd4f1eb06046c1c5f65ae7b1e8e1c0165ab2276ed (diff)
downloadnixos-43090b716dd0d03a1057f42c98c12b8595ebd47d.tar
nixos-43090b716dd0d03a1057f42c98c12b8595ebd47d.tar.gz
nixos-43090b716dd0d03a1057f42c98c12b8595ebd47d.tar.bz2
nixos-43090b716dd0d03a1057f42c98c12b8595ebd47d.tar.xz
nixos-43090b716dd0d03a1057f42c98c12b8595ebd47d.zip
...
-rw-r--r--system-profiles/openssh/default.nix47
1 files changed, 37 insertions, 10 deletions
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix
index 098e2b25..65635912 100644
--- a/system-profiles/openssh/default.nix
+++ b/system-profiles/openssh/default.nix
@@ -64,6 +64,7 @@ in {
64 systemd.user.services."ssh-agent".enable = mkForce false; # ssh-agent should be done via home-manager 64 systemd.user.services."ssh-agent".enable = mkForce false; # ssh-agent should be done via home-manager
65 65
66 services.openssh = mkIf cfg.enable { 66 services.openssh = mkIf cfg.enable {
67 startWhenNeeded = true;
67 hostKeys = mkIf cfg.staticHostKeys (mkForce []); # done manually 68 hostKeys = mkIf cfg.staticHostKeys (mkForce []); # done manually
68 settings = { 69 settings = {
69 inherit Ciphers Macs KexAlgorithms; 70 inherit Ciphers Macs KexAlgorithms;
@@ -77,21 +78,36 @@ in {
77 PasswordAuthentication = mkDefault false; 78 PasswordAuthentication = mkDefault false;
78 KbdInteractiveAuthentication = mkDefault false; 79 KbdInteractiveAuthentication = mkDefault false;
79 }; 80 };
80 moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") "/run/credentials/sshd.service/ssh_moduli";
81 extraConfig = optionalString cfg.staticHostKeys '' 81 extraConfig = optionalString cfg.staticHostKeys ''
82 HostKey /run/credentials/sshd.service/ssh_host_ed25519_key
83 HostCertificate ${./known-hosts + "/${hostName}/ed25519-cert.pub"} 82 HostCertificate ${./known-hosts + "/${hostName}/ed25519-cert.pub"}
84 HostKey /run/credentials/sshd.service/ssh_host_rsa_key
85 HostCertificate ${./known-hosts + "/${hostName}/rsa-cert.pub"} 83 HostCertificate ${./known-hosts + "/${hostName}/rsa-cert.pub"}
86 ''; 84 '';
87 }; 85 };
88 86
89 systemd.services.sshd.serviceConfig.LoadCredential = 87 systemd.services = mkIf cfg.enable {
90 lib.optional (config.sops.secrets ? "ssh_moduli") "ssh_moduli:${config.sops.secrets.ssh_moduli.path}" 88 "sshd@".serviceConfig = {
91 ++ lib.optionals cfg.staticHostKeys [ 89 ExecStart = mkForce (concatStringsSep " " (
92 "ssh_host_ed25519_key:${config.sops.secrets.ssh_host_ed25519_key.path}" 90 [ "-${cfg.package}/bin/sshd" "-i" "-D" "-f" "/etc/ssh/sshd_config" ]
93 "ssh_host_rsa_key:${config.sops.secrets.ssh_host_rsa_key.path}" 91 ++ optional (config.sops.secrets ? "ssh_moduli") ''-o "moduliFile ''${CREDENTIALS_DIRECTORY}/ssh_moduli"''
94 ]; 92 ++ optional cfg.staticHostKeys ''-o "HostKey ''${CREDENTIALS_DIRECTORY}/ssh_host_ed25519_key" -o "HostKey ''${CREDENTIALS_DIRECTORY}/ssh_host_rsa_key"''
93 ));
94 LoadCredential =
95 lib.optional (config.sops.secrets ? "ssh_moduli") "ssh_moduli:${config.sops.secrets.ssh_moduli.path}"
96 ++ lib.optionals cfg.staticHostKeys [
97 "ssh_host_ed25519_key:${config.sops.secrets.ssh_host_ed25519_key.path}"
98 "ssh_host_rsa_key:${config.sops.secrets.ssh_host_rsa_key.path}"
99 ];
100 };
101 };
102 systemd.sockets."sshd@run-ssh\\x2dunix\\x2dlocal-socket" = mkIf cfg.enable {
103 wantedBy = ["sockets.target"];
104 listenStreams = ["/run/ssh-unix-local/socket"];
105 socketConfig = {
106 Accept = true;
107 PollLimitIntervalSec = "30s";
108 PollLimitBurst = 50;
109 };
110 };
95 111
96 programs.ssh = { 112 programs.ssh = {
97 knownHosts = { 113 knownHosts = {
@@ -116,6 +132,17 @@ in {
116 CASignatureAlgorithms ${concatStringsSep "," CASignatureAlgorithms} 132 CASignatureAlgorithms ${concatStringsSep "," CASignatureAlgorithms}
117 PasswordAuthentication no 133 PasswordAuthentication no
118 KbdInteractiveAuthentication no 134 KbdInteractiveAuthentication no
135
136 Host unix/* vsock/* vsock-mux/*
137 ProxyCommand ${config.systemd.package}/lib/systemd/systemd-ssh-proxy %h %p
138 ProxyUseFdpass yes
139 CheckHostIP no
140
141 Host .host ${config.networking.hostName} ${config.networking.hostName}.yggdrasil localhost ::1 127.0.0.0/8
142 HostKeyAlias ${config.networking.hostName}.yggdrasil
143 ProxyCommand ${config.systemd.package}/lib/systemd/systemd-ssh-proxy unix/run/ssh-unix-local/socket %p
144 ProxyUseFdpass yes
145 CheckHostIP no
119 ''; 146 '';
120 }; 147 };
121 148
@@ -135,7 +162,7 @@ in {
135 }; 162 };
136 163
137 environment.systemPackages = mkIf cfg.enable (with pkgs; [ 164 environment.systemPackages = mkIf cfg.enable (with pkgs; [
138 alacritty.terminfo 165 kitty.terminfo
139 ]); 166 ]);
140 }; 167 };
141} 168}