ssh8022: split client and server

2024-08-25 11:07:35 +03:00 · 2024-08-25 11:07:35 +03:00 · 21e84bb162
commit 21e84bb162
parent ebdcd832e4
4 changed files with 60 additions and 48 deletions
--- a/flake.nix
+++ b/flake.nix
@ -152,11 +152,6 @@
                syncthing-key.file = ./secrets/mtworx/syncthing/key.pem.age;
                syncthing-cert.file = ./secrets/mtworx/syncthing/cert.pem.age;
                ssh8022 = {
                  file = ./secrets/ssh8022.age;
                  owner = "motiejus";
                };
              };
            }
          ];
@ -191,11 +186,6 @@
                synapse-macaroon-secret-key.file = ./secrets/synapse/macaroon_secret_key.age;
                syncthing-key.file = ./secrets/fwminex/syncthing/key.pem.age;
                syncthing-cert.file = ./secrets/fwminex/syncthing/cert.pem.age;
                ssh8022 = {
                  file = ./secrets/ssh8022.age;
                  owner = "motiejus";
                };
              };
            }
          ];
@ -222,11 +212,6 @@
                syncthing-key.file = ./secrets/vno1-gdrx/syncthing/key.pem.age;
                syncthing-cert.file = ./secrets/vno1-gdrx/syncthing/cert.pem.age;
                ssh8022 = {
                  file = ./secrets/ssh8022.age;
                  owner = "motiejus";
                };
              };
            }
          ];
@ -254,11 +239,6 @@
                sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
                datapool-passphrase.file = ./secrets/vno3-rp3b/datapool-passphrase.age;
                ssh8022 = {
                  file = ./secrets/ssh8022.age;
                  owner = "motiejus";
                };
              };
            }
          ];
@ -284,10 +264,6 @@
                root-passwd-hash.file = ./secrets/root_passwd_hash.age;
                sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
                ssh8022 = {
                  file = ./secrets/ssh8022.age;
                  owner = "motiejus";
                };
              };
            }
          ];
--- a/hosts/fwminex/configuration.nix
+++ b/hosts/fwminex/configuration.nix
@ -13,6 +13,12 @@ in
    ../../modules/profiles/btrfs
  ];
  age.secrets.ssh8022-server = {
    file = ../../secrets/ssh8022.age;
    owner = "spiped";
    path = "/var/lib/spiped/ssh8022.key";
  };
  boot = {
    kernelModules = [ "kvm-intel" ];
    loader.systemd-boot.enable = true;
@ -364,10 +370,13 @@ in
    services = {
      sshguard.enable = true;
      ssh8022.enable = true;
      gitea.enable = true;
      hass.enable = true;
      syncthing-relay.enable = true;
      ssh8022.server = {
        enable = true;
        keyfile = config.age.secrets.ssh8022-server.path;
      };
      vaultwarden = {
        enable = true;
--- a/hosts/mtworx/configuration.nix
+++ b/hosts/mtworx/configuration.nix
@ -16,6 +16,11 @@ in
    ../../modules/profiles/btrfs
  ];
  age.secrets.ssh8022-client = {
    file = ../../secrets/ssh8022.age;
    owner = "motiejus";
  };
  boot = {
    kernelModules = [ "kvm-intel" ];
    loader.systemd-boot.enable = true;
@ -81,7 +86,11 @@ in
    services = {
      sshguard.enable = false;
-      ssh8022.enable = true;
+      ssh8022.client = {
        enable = true;
        keyfile = config.age.secrets.ssh8022-client.path;
      };
      tailscale = {
        enable = true;
--- a/modules/services/ssh8022/default.nix
+++ b/modules/services/ssh8022/default.nix
@ -5,30 +5,48 @@
  myData,
  ...
 }:
 let
  cfg = config.mj.services.ssh8022;
 in
 {
-  options.mj.services.ssh8022 = {
+  options.mj.services.ssh8022 = with lib.types; {
-    enable = lib.mkEnableOption "Enable ssh8022";
+    client = {
      enable = lib.mkEnableOption "Enable ssh8022 client";
      keyfile = lib.mkOption { type = str; };
    };
    server = {
      enable = lib.mkEnableOption "Enable ssh8022 server";
      keyfile = lib.mkOption { type = str; };
    };
  };
-  config = lib.mkIf cfg.enable {
+  config = lib.mkMerge [
-    services.spiped = {
+    (
-      enable = true;
+      let
-      config = {
+        cfg = config.mj.services.ssh8022.client;
-        ssh8022 = {
+      in
-          decrypt = true;
+      lib.mkIf cfg.enable {
-          source = "*:8022";
+        programs.ssh.extraConfig = ''
-          target = "127.0.0.1:22";
+          Host dl.jakstys.lt
-          keyfile = config.age.secrets.ssh8022.path;
+          ProxyCommand ${pkgs.spiped}/bin/spipe -t %h:8022 -k ${cfg.keyfile}
        '';
      }
    )
    (
      let
        cfg = config.mj.services.ssh8022.server;
      in
      lib.mkIf cfg.enable {
        services.spiped = {
          enable = true;
          config = {
            ssh8022 = {
              inherit (cfg) keyfile;
              decrypt = true;
              source = "*:8022";
              target = "127.0.0.1:22";
            };
          };
        };
-      };
+        networking.firewall.allowedTCPPorts = [ myData.ports.ssh8022 ];
-    };
+      }
-    programs.ssh.extraConfig = ''
+    )
-      Host dl.jakstys.lt
+  ];
      ProxyCommand ${pkgs.spiped}/bin/spipe -t %h:8022 -k ${config.age.secrets.ssh8022.path}
    '';
    networking.firewall.allowedTCPPorts = [ myData.ports.ssh8022 ];
  };
 }