From 43090b716dd0d03a1057f42c98c12b8595ebd47d Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Fri, 16 Aug 2024 21:41:20 +0200
Subject: ...
---
system-profiles/openssh/default.nix | 47 +++++++++++++++++++++++++++++--------
1 file changed, 37 insertions(+), 10 deletions(-)
(limited to 'system-profiles/openssh')
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix
index 098e2b25..65635912 100644
--- a/system-profiles/openssh/default.nix
+++ b/system-profiles/openssh/default.nix
@@ -64,6 +64,7 @@ in {
systemd.user.services."ssh-agent".enable = mkForce false; # ssh-agent should be done via home-manager
services.openssh = mkIf cfg.enable {
+ startWhenNeeded = true;
hostKeys = mkIf cfg.staticHostKeys (mkForce []); # done manually
settings = {
inherit Ciphers Macs KexAlgorithms;
@@ -77,21 +78,36 @@ in {
PasswordAuthentication = mkDefault false;
KbdInteractiveAuthentication = mkDefault false;
};
- moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") "/run/credentials/sshd.service/ssh_moduli";
extraConfig = optionalString cfg.staticHostKeys ''
- HostKey /run/credentials/sshd.service/ssh_host_ed25519_key
HostCertificate ${./known-hosts + "/${hostName}/ed25519-cert.pub"}
- HostKey /run/credentials/sshd.service/ssh_host_rsa_key
HostCertificate ${./known-hosts + "/${hostName}/rsa-cert.pub"}
'';
};
- systemd.services.sshd.serviceConfig.LoadCredential =
- lib.optional (config.sops.secrets ? "ssh_moduli") "ssh_moduli:${config.sops.secrets.ssh_moduli.path}"
- ++ lib.optionals cfg.staticHostKeys [
- "ssh_host_ed25519_key:${config.sops.secrets.ssh_host_ed25519_key.path}"
- "ssh_host_rsa_key:${config.sops.secrets.ssh_host_rsa_key.path}"
- ];
+ systemd.services = mkIf cfg.enable {
+ "sshd@".serviceConfig = {
+ ExecStart = mkForce (concatStringsSep " " (
+ [ "-${cfg.package}/bin/sshd" "-i" "-D" "-f" "/etc/ssh/sshd_config" ]
+ ++ optional (config.sops.secrets ? "ssh_moduli") ''-o "moduliFile ''${CREDENTIALS_DIRECTORY}/ssh_moduli"''
+ ++ optional cfg.staticHostKeys ''-o "HostKey ''${CREDENTIALS_DIRECTORY}/ssh_host_ed25519_key" -o "HostKey ''${CREDENTIALS_DIRECTORY}/ssh_host_rsa_key"''
+ ));
+ LoadCredential =
+ lib.optional (config.sops.secrets ? "ssh_moduli") "ssh_moduli:${config.sops.secrets.ssh_moduli.path}"
+ ++ lib.optionals cfg.staticHostKeys [
+ "ssh_host_ed25519_key:${config.sops.secrets.ssh_host_ed25519_key.path}"
+ "ssh_host_rsa_key:${config.sops.secrets.ssh_host_rsa_key.path}"
+ ];
+ };
+ };
+ systemd.sockets."sshd@run-ssh\\x2dunix\\x2dlocal-socket" = mkIf cfg.enable {
+ wantedBy = ["sockets.target"];
+ listenStreams = ["/run/ssh-unix-local/socket"];
+ socketConfig = {
+ Accept = true;
+ PollLimitIntervalSec = "30s";
+ PollLimitBurst = 50;
+ };
+ };
programs.ssh = {
knownHosts = {
@@ -116,6 +132,17 @@ in {
CASignatureAlgorithms ${concatStringsSep "," CASignatureAlgorithms}
PasswordAuthentication no
KbdInteractiveAuthentication no
+
+ Host unix/* vsock/* vsock-mux/*
+ ProxyCommand ${config.systemd.package}/lib/systemd/systemd-ssh-proxy %h %p
+ ProxyUseFdpass yes
+ CheckHostIP no
+
+ Host .host ${config.networking.hostName} ${config.networking.hostName}.yggdrasil localhost ::1 127.0.0.0/8
+ HostKeyAlias ${config.networking.hostName}.yggdrasil
+ ProxyCommand ${config.systemd.package}/lib/systemd/systemd-ssh-proxy unix/run/ssh-unix-local/socket %p
+ ProxyUseFdpass yes
+ CheckHostIP no
'';
};
@@ -135,7 +162,7 @@ in {
};
environment.systemPackages = mkIf cfg.enable (with pkgs; [
- alacritty.terminfo
+ kitty.terminfo
]);
};
}
--
cgit v1.2.3