motiejus
/
config
1
Fork 0
Code Packages Releases Activity

ssh8022: split client and server

This commit is contained in:
Motiejus Jakštys 2024-08-25 11:07:35 +03:00
parent ebdcd832e4
commit 21e84bb162
4 changed files with 60 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
flake.nix
View File

@ -152,11 +152,6 @@
syncthing-key.file = ./secrets/mtworx/syncthing/key.pem.age; syncthing-key.file = ./secrets/mtworx/syncthing/key.pem.age;
syncthing-cert.file = ./secrets/mtworx/syncthing/cert.pem.age; syncthing-cert.file = ./secrets/mtworx/syncthing/cert.pem.age;
ssh8022 = {
file = ./secrets/ssh8022.age;
owner = "motiejus";
};
}; };
} }
]; ];
@ -191,11 +186,6 @@
synapse-macaroon-secret-key.file = ./secrets/synapse/macaroon_secret_key.age; synapse-macaroon-secret-key.file = ./secrets/synapse/macaroon_secret_key.age;
syncthing-key.file = ./secrets/fwminex/syncthing/key.pem.age; syncthing-key.file = ./secrets/fwminex/syncthing/key.pem.age;
syncthing-cert.file = ./secrets/fwminex/syncthing/cert.pem.age; syncthing-cert.file = ./secrets/fwminex/syncthing/cert.pem.age;
ssh8022 = {
file = ./secrets/ssh8022.age;
owner = "motiejus";
};
}; };
} }
]; ];
@ -222,11 +212,6 @@
syncthing-key.file = ./secrets/vno1-gdrx/syncthing/key.pem.age; syncthing-key.file = ./secrets/vno1-gdrx/syncthing/key.pem.age;
syncthing-cert.file = ./secrets/vno1-gdrx/syncthing/cert.pem.age; syncthing-cert.file = ./secrets/vno1-gdrx/syncthing/cert.pem.age;
ssh8022 = {
file = ./secrets/ssh8022.age;
owner = "motiejus";
};
}; };
} }
]; ];
@ -254,11 +239,6 @@
sasl-passwd.file = ./secrets/postfix_sasl_passwd.age; sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
datapool-passphrase.file = ./secrets/vno3-rp3b/datapool-passphrase.age; datapool-passphrase.file = ./secrets/vno3-rp3b/datapool-passphrase.age;
ssh8022 = {
file = ./secrets/ssh8022.age;
owner = "motiejus";
};
}; };
} }
]; ];
@ -284,10 +264,6 @@
root-passwd-hash.file = ./secrets/root_passwd_hash.age; root-passwd-hash.file = ./secrets/root_passwd_hash.age;
sasl-passwd.file = ./secrets/postfix_sasl_passwd.age; sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
ssh8022 = {
file = ./secrets/ssh8022.age;
owner = "motiejus";
};
}; };
} }
]; ];

11
hosts/fwminex/configuration.nix
View File

@ -13,6 +13,12 @@ in
../../modules/profiles/btrfs ../../modules/profiles/btrfs
]; ];
age.secrets.ssh8022-server = {
file = ../../secrets/ssh8022.age;
owner = "spiped";
path = "/var/lib/spiped/ssh8022.key";
};
boot = { boot = {
kernelModules = [ "kvm-intel" ]; kernelModules = [ "kvm-intel" ];
loader.systemd-boot.enable = true; loader.systemd-boot.enable = true;
@ -364,10 +370,13 @@ in
services = { services = {
sshguard.enable = true; sshguard.enable = true;
ssh8022.enable = true;
gitea.enable = true; gitea.enable = true;
hass.enable = true; hass.enable = true;
syncthing-relay.enable = true; syncthing-relay.enable = true;
ssh8022.server = {
enable = true;
keyfile = config.age.secrets.ssh8022-server.path;
};
vaultwarden = { vaultwarden = {
enable = true; enable = true;

11
hosts/mtworx/configuration.nix
View File

@ -16,6 +16,11 @@ in
../../modules/profiles/btrfs ../../modules/profiles/btrfs
]; ];
age.secrets.ssh8022-client = {
file = ../../secrets/ssh8022.age;
owner = "motiejus";
};
boot = { boot = {
kernelModules = [ "kvm-intel" ]; kernelModules = [ "kvm-intel" ];
loader.systemd-boot.enable = true; loader.systemd-boot.enable = true;
@ -81,7 +86,11 @@ in
services = { services = {
sshguard.enable = false; sshguard.enable = false;
ssh8022.enable = true; ssh8022.client = {
enable = true;
keyfile = config.age.secrets.ssh8022-client.path;
};
tailscale = { tailscale = {
enable = true; enable = true;

62
modules/services/ssh8022/default.nix
View File

@ -5,30 +5,48 @@
myData, myData,
... ...
}: }:
let
cfg = config.mj.services.ssh8022;
in
{ {
options.mj.services.ssh8022 = { options.mj.services.ssh8022 = with lib.types; {
enable = lib.mkEnableOption "Enable ssh8022"; client = {
enable = lib.mkEnableOption "Enable ssh8022 client";
keyfile = lib.mkOption { type = str; };
};
server = {
enable = lib.mkEnableOption "Enable ssh8022 server";
keyfile = lib.mkOption { type = str; };
};
}; };
config = lib.mkIf cfg.enable { config = lib.mkMerge [
services.spiped = { (
enable = true; let
config = { cfg = config.mj.services.ssh8022.client;
ssh8022 = { in
decrypt = true; lib.mkIf cfg.enable {
source = "*:8022"; programs.ssh.extraConfig = ''
target = "127.0.0.1:22"; Host dl.jakstys.lt
keyfile = config.age.secrets.ssh8022.path; ProxyCommand ${pkgs.spiped}/bin/spipe -t %h:8022 -k ${cfg.keyfile}
'';
}
)
(
let
cfg = config.mj.services.ssh8022.server;
in
lib.mkIf cfg.enable {
services.spiped = {
enable = true;
config = {
ssh8022 = {
inherit (cfg) keyfile;
decrypt = true;
source = "*:8022";
target = "127.0.0.1:22";
};
};
}; };
}; networking.firewall.allowedTCPPorts = [ myData.ports.ssh8022 ];
}; }
programs.ssh.extraConfig = '' )
Host dl.jakstys.lt ];
ProxyCommand ${pkgs.spiped}/bin/spipe -t %h:8022 -k ${config.age.secrets.ssh8022.path}
'';
networking.firewall.allowedTCPPorts = [ myData.ports.ssh8022 ];
};
} }