diff --git a/data.nix b/data.nix index 3ca8303..ff5ab7a 100644 --- a/data.nix +++ b/data.nix @@ -27,6 +27,7 @@ rec { soju = 6697; soju-ws = 6698; matrix-synapse = 8008; + ssh8022 = 8022; vaultwarden = 8222; headscale = 8080; hass = 8123; diff --git a/flake.nix b/flake.nix index 1645b81..b0348d4 100644 --- a/flake.nix +++ b/flake.nix @@ -222,6 +222,11 @@ syncthing-key.file = ./secrets/vno1-gdrx/syncthing/key.pem.age; syncthing-cert.file = ./secrets/vno1-gdrx/syncthing/cert.pem.age; + + ssh8022 = { + file = ./secrets/ssh8022.age; + owner = "motiejus"; + }; }; } ]; @@ -249,6 +254,11 @@ sasl-passwd.file = ./secrets/postfix_sasl_passwd.age; datapool-passphrase.file = ./secrets/vno3-rp3b/datapool-passphrase.age; + + ssh8022 = { + file = ./secrets/ssh8022.age; + owner = "motiejus"; + }; }; } ]; @@ -273,6 +283,11 @@ motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age; root-passwd-hash.file = ./secrets/root_passwd_hash.age; sasl-passwd.file = ./secrets/postfix_sasl_passwd.age; + + ssh8022 = { + file = ./secrets/ssh8022.age; + owner = "motiejus"; + }; }; } ]; diff --git a/modules/base/sshd/default.nix b/modules/base/sshd/default.nix index d871c30..f667ec4 100644 --- a/modules/base/sshd/default.nix +++ b/modules/base/sshd/default.nix @@ -1,11 +1,19 @@ { - config, lib, + config, + pkgs, myData, ... }: { config = { + services.spiped = { + enable = true; + decrypt = true; + source = "*:8022"; + target = "127.0.0.1:22"; + keyFile = config.age.secrets.ssh8022.path; + }; services.openssh = { enable = true; settings = { @@ -14,13 +22,20 @@ }; }; programs.mosh.enable = true; - programs.ssh.knownHosts = - let - sshAttrs = lib.genAttrs [ - "extraHostNames" - "publicKey" - ] (_: null); - in - lib.mapAttrs (_name: builtins.intersectAttrs sshAttrs) myData.hosts; + programs.ssh = { + knownHosts = + let + sshAttrs = lib.genAttrs [ + "extraHostNames" + "publicKey" + ] (_: null); + in + lib.mapAttrs (_name: builtins.intersectAttrs sshAttrs) myData.hosts; + extraConfig = '' + Host dl.jakstys.lt + ProxyCommand ${pkgs.spiped}/bin/spipe -t %h:8022 -k ${config.age.secrets.ssh8022.path} + ''; + }; + networking.firewall.allowedTCPPorts = [ myData.ports.ssh8022 ]; }; } diff --git a/secrets/ssh8022.age b/secrets/ssh8022.age new file mode 100644 index 0000000..63bde55 --- /dev/null +++ b/secrets/ssh8022.age @@ -0,0 +1,21 @@ +age-encryption.org/v1 +-> ssh-ed25519 2jMHjA LwcWJJsE+Bxp8jh8SEBWP9uvCzSZmoZS4ZMl9uJMPAI +fep9NQNMXRWMzr1aMxEoyBxDrtoEseiOYIASvbwqWzE +-> ssh-ed25519 lDWJbA gTK00r+NKJ8gH95x6S1hztsfXFRSFIRY9iE4JhXO2w0 +gkzvdNWKhmivbvMBXcHjK45YS5LS/to6CxavhTvdMQ8 +-> ssh-ed25519 CBqt6Q 4T7LQ/OiH9TCN32Ts6R27iQUua7CZI8mSzB0Ug8vXwY +wfNRUMgA4QhBaRk1NDHxowS5xw7mdDjYGqsqMEJhNCw +-> ssh-ed25519 fqSa6A h1xUFF4cbMu0WroXtf0SHQWGb/hiqgveE0yawoPjvy4 +RJLxwdrgrfyzVYYpwAiI6VH0vx+pcL57JWZwL/FttEE +-> ssh-ed25519 9Chcgw lqtnkWmVgqjQHFDakzOaJMEIY0Y3bRXTzIilNFWmSSk +nOEDJ7rFyfs2Bmt6LDAJ2ebsGuTSA4ukqgJRnSPi8yw +-> X25519 mp/GibjENvRmB/LTqx9wxAr/Ud96Ay/xebYxuJc+9Fg +iEUgyYZRWGjYc9jXLbrwpMlRn80xo2QX3uKyrs3gUb8 +-> X25519 ssEKm23YzhCwEru9uAvJusZgXhzLNMBpPyOfI2dMRRw +BmFN6tRXLGPnX9STBspq6lJRU3iWCdB8G05cS51VLX4 +-> piv-p256 +y2G/w A6zPbX9nW+T1aGKpcsi8dqVR6/STS4Fk9fW/AxcppdJC +AVAi2EU7Vs/2pnIjP3MmMtZaKMHMlSz6fKfa7hdMrSw +-> piv-p256 jNqd3A AibOWW5KGacF2bXaHn95WyczuWWfAu+VJS48blfTfDD8 +ir1xhw2j5DUMeff2rUxmqrMWSD6ueKP2BdxB4eKCtlQ +--- EidnuJylAMuaYDBsFOkNCsLNkoTtIxuBz49EK0k3mNo +fe0ۚ]ufq5AiO">7Bپ9#[*cԻCly \ No newline at end of file