From 43090b716dd0d03a1057f42c98c12b8595ebd47d Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Fri, 16 Aug 2024 21:41:20 +0200 Subject: ... --- system-profiles/openssh/default.nix | 47 +++++++++++++++++++++++++++++-------- 1 file changed, 37 insertions(+), 10 deletions(-) (limited to 'system-profiles/openssh/default.nix') diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix index 098e2b25..65635912 100644 --- a/system-profiles/openssh/default.nix +++ b/system-profiles/openssh/default.nix @@ -64,6 +64,7 @@ in { systemd.user.services."ssh-agent".enable = mkForce false; # ssh-agent should be done via home-manager services.openssh = mkIf cfg.enable { + startWhenNeeded = true; hostKeys = mkIf cfg.staticHostKeys (mkForce []); # done manually settings = { inherit Ciphers Macs KexAlgorithms; @@ -77,21 +78,36 @@ in { PasswordAuthentication = mkDefault false; KbdInteractiveAuthentication = mkDefault false; }; - moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") "/run/credentials/sshd.service/ssh_moduli"; extraConfig = optionalString cfg.staticHostKeys '' - HostKey /run/credentials/sshd.service/ssh_host_ed25519_key HostCertificate ${./known-hosts + "/${hostName}/ed25519-cert.pub"} - HostKey /run/credentials/sshd.service/ssh_host_rsa_key HostCertificate ${./known-hosts + "/${hostName}/rsa-cert.pub"} ''; }; - systemd.services.sshd.serviceConfig.LoadCredential = - lib.optional (config.sops.secrets ? "ssh_moduli") "ssh_moduli:${config.sops.secrets.ssh_moduli.path}" - ++ lib.optionals cfg.staticHostKeys [ - "ssh_host_ed25519_key:${config.sops.secrets.ssh_host_ed25519_key.path}" - "ssh_host_rsa_key:${config.sops.secrets.ssh_host_rsa_key.path}" - ]; + systemd.services = mkIf cfg.enable { + "sshd@".serviceConfig = { + ExecStart = mkForce (concatStringsSep " " ( + [ "-${cfg.package}/bin/sshd" "-i" "-D" "-f" "/etc/ssh/sshd_config" ] + ++ optional (config.sops.secrets ? "ssh_moduli") ''-o "moduliFile ''${CREDENTIALS_DIRECTORY}/ssh_moduli"'' + ++ optional cfg.staticHostKeys ''-o "HostKey ''${CREDENTIALS_DIRECTORY}/ssh_host_ed25519_key" -o "HostKey ''${CREDENTIALS_DIRECTORY}/ssh_host_rsa_key"'' + )); + LoadCredential = + lib.optional (config.sops.secrets ? "ssh_moduli") "ssh_moduli:${config.sops.secrets.ssh_moduli.path}" + ++ lib.optionals cfg.staticHostKeys [ + "ssh_host_ed25519_key:${config.sops.secrets.ssh_host_ed25519_key.path}" + "ssh_host_rsa_key:${config.sops.secrets.ssh_host_rsa_key.path}" + ]; + }; + }; + systemd.sockets."sshd@run-ssh\\x2dunix\\x2dlocal-socket" = mkIf cfg.enable { + wantedBy = ["sockets.target"]; + listenStreams = ["/run/ssh-unix-local/socket"]; + socketConfig = { + Accept = true; + PollLimitIntervalSec = "30s"; + PollLimitBurst = 50; + }; + }; programs.ssh = { knownHosts = { @@ -116,6 +132,17 @@ in { CASignatureAlgorithms ${concatStringsSep "," CASignatureAlgorithms} PasswordAuthentication no KbdInteractiveAuthentication no + + Host unix/* vsock/* vsock-mux/* + ProxyCommand ${config.systemd.package}/lib/systemd/systemd-ssh-proxy %h %p + ProxyUseFdpass yes + CheckHostIP no + + Host .host ${config.networking.hostName} ${config.networking.hostName}.yggdrasil localhost ::1 127.0.0.0/8 + HostKeyAlias ${config.networking.hostName}.yggdrasil + ProxyCommand ${config.systemd.package}/lib/systemd/systemd-ssh-proxy unix/run/ssh-unix-local/socket %p + ProxyUseFdpass yes + CheckHostIP no ''; }; @@ -135,7 +162,7 @@ in { }; environment.systemPackages = mkIf cfg.enable (with pkgs; [ - alacritty.terminfo + kitty.terminfo ]); }; } -- cgit v1.2.3