sshd8022: init

2024-08-24 21:14:47 +03:00 · 2024-08-24 21:14:47 +03:00 · 5aadaee1d0
commit 5aadaee1d0
parent 9b637a59e9
4 changed files with 61 additions and 9 deletions
--- a/data.nix
+++ b/data.nix
@ -27,6 +27,7 @@ rec {
    soju = 6697;
    soju-ws = 6698;
    matrix-synapse = 8008;
    ssh8022 = 8022;
    vaultwarden = 8222;
    headscale = 8080;
    hass = 8123;
--- a/flake.nix
+++ b/flake.nix
@ -222,6 +222,11 @@
                syncthing-key.file = ./secrets/vno1-gdrx/syncthing/key.pem.age;
                syncthing-cert.file = ./secrets/vno1-gdrx/syncthing/cert.pem.age;
                ssh8022 = {
                  file = ./secrets/ssh8022.age;
                  owner = "motiejus";
                };
              };
            }
          ];
@ -249,6 +254,11 @@
                sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
                datapool-passphrase.file = ./secrets/vno3-rp3b/datapool-passphrase.age;
                ssh8022 = {
                  file = ./secrets/ssh8022.age;
                  owner = "motiejus";
                };
              };
            }
          ];
@ -273,6 +283,11 @@
                motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
                root-passwd-hash.file = ./secrets/root_passwd_hash.age;
                sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
                ssh8022 = {
                  file = ./secrets/ssh8022.age;
                  owner = "motiejus";
                };
              };
            }
          ];
--- a/modules/base/sshd/default.nix
+++ b/modules/base/sshd/default.nix
@ -1,11 +1,19 @@
 {
  config,
  lib,
  config,
  pkgs,
  myData,
  ...
 }:
 {
  config = {
    services.spiped = {
      enable = true;
      decrypt = true;
      source = "*:8022";
      target = "127.0.0.1:22";
      keyFile = config.age.secrets.ssh8022.path;
    };
    services.openssh = {
      enable = true;
      settings = {
@ -14,7 +22,8 @@
      };
    };
    programs.mosh.enable = true;
-    programs.ssh.knownHosts =
+    programs.ssh = {
      knownHosts =
        let
          sshAttrs = lib.genAttrs [
            "extraHostNames"
@ -22,5 +31,11 @@
          ] (_: null);
        in
        lib.mapAttrs (_name: builtins.intersectAttrs sshAttrs) myData.hosts;
      extraConfig = ''
        Host dl.jakstys.lt
        ProxyCommand ${pkgs.spiped}/bin/spipe -t %h:8022 -k ${config.age.secrets.ssh8022.path}
      '';
    };
    networking.firewall.allowedTCPPorts = [ myData.ports.ssh8022 ];
  };
 }
--- a/secrets/ssh8022.age
+++ b/secrets/ssh8022.age
@ -0,0 +1,21 @@
 age-encryption.org/v1
 -> ssh-ed25519 2jMHjA LwcWJJsE+Bxp8jh8SEBWP9uvCzSZmoZS4ZMl9uJMPAI
 fep9NQNMXRWMzr1aMxEoyBxDrtoEseiOYIASvbwqWzE
 -> ssh-ed25519 lDWJbA gTK00r+NKJ8gH95x6S1hztsfXFRSFIRY9iE4JhXO2w0
 gkzvdNWKhmivbvMBXcHjK45YS5LS/to6CxavhTvdMQ8
 -> ssh-ed25519 CBqt6Q 4T7LQ/OiH9TCN32Ts6R27iQUua7CZI8mSzB0Ug8vXwY
 wfNRUMgA4QhBaRk1NDHxowS5xw7mdDjYGqsqMEJhNCw
 -> ssh-ed25519 fqSa6A h1xUFF4cbMu0WroXtf0SHQWGb/hiqgveE0yawoPjvy4
 RJLxwdrgrfyzVYYpwAiI6VH0vx+pcL57JWZwL/FttEE
 -> ssh-ed25519 9Chcgw lqtnkWmVgqjQHFDakzOaJMEIY0Y3bRXTzIilNFWmSSk
 nOEDJ7rFyfs2Bmt6LDAJ2ebsGuTSA4ukqgJRnSPi8yw
 -> X25519 mp/GibjENvRmB/LTqx9wxAr/Ud96Ay/xebYxuJc+9Fg
 iEUgyYZRWGjYc9jXLbrwpMlRn80xo2QX3uKyrs3gUb8
 -> X25519 ssEKm23YzhCwEru9uAvJusZgXhzLNMBpPyOfI2dMRRw
 BmFN6tRXLGPnX9STBspq6lJRU3iWCdB8G05cS51VLX4
 -> piv-p256 +y2G/w A6zPbX9nW+T1aGKpcsi8dqVR6/STS4Fk9fW/AxcppdJC
 AVAi2EU7Vs/2pnIjP3MmMtZaKMHMlSz6fKfa7hdMrSw
 -> piv-p256 jNqd3A AibOWW5KGacF2bXaHn95WyczuWWfAu+VJS48blfTfDD8
 ir1xhw2j5DUMeff2rUxmqrMWSD6ueKP2BdxB4eKCtlQ
 --- EidnuJylAMuaYDBsFOkNCsLNkoTtIxuBz49EK0k3mNo
 ÷˜Š‚“‚fe<EFBFBD>0ÛšË]ufÃq5AýÙéiO">7BÙ¾9®‹#É×[Œ™*cŸ÷Ô»è´CÁl‰û<E280B0>yŠ¦ó