sshd8022: init

This commit is contained in:
Motiejus Jakštys 2024-08-24 21:14:47 +03:00
parent 9b637a59e9
commit 5aadaee1d0
4 changed files with 61 additions and 9 deletions

View File

@ -27,6 +27,7 @@ rec {
soju = 6697; soju = 6697;
soju-ws = 6698; soju-ws = 6698;
matrix-synapse = 8008; matrix-synapse = 8008;
ssh8022 = 8022;
vaultwarden = 8222; vaultwarden = 8222;
headscale = 8080; headscale = 8080;
hass = 8123; hass = 8123;

View File

@ -222,6 +222,11 @@
syncthing-key.file = ./secrets/vno1-gdrx/syncthing/key.pem.age; syncthing-key.file = ./secrets/vno1-gdrx/syncthing/key.pem.age;
syncthing-cert.file = ./secrets/vno1-gdrx/syncthing/cert.pem.age; syncthing-cert.file = ./secrets/vno1-gdrx/syncthing/cert.pem.age;
ssh8022 = {
file = ./secrets/ssh8022.age;
owner = "motiejus";
};
}; };
} }
]; ];
@ -249,6 +254,11 @@
sasl-passwd.file = ./secrets/postfix_sasl_passwd.age; sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
datapool-passphrase.file = ./secrets/vno3-rp3b/datapool-passphrase.age; datapool-passphrase.file = ./secrets/vno3-rp3b/datapool-passphrase.age;
ssh8022 = {
file = ./secrets/ssh8022.age;
owner = "motiejus";
};
}; };
} }
]; ];
@ -273,6 +283,11 @@
motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age; motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
root-passwd-hash.file = ./secrets/root_passwd_hash.age; root-passwd-hash.file = ./secrets/root_passwd_hash.age;
sasl-passwd.file = ./secrets/postfix_sasl_passwd.age; sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
ssh8022 = {
file = ./secrets/ssh8022.age;
owner = "motiejus";
};
}; };
} }
]; ];

View File

@ -1,11 +1,19 @@
{ {
config,
lib, lib,
config,
pkgs,
myData, myData,
... ...
}: }:
{ {
config = { config = {
services.spiped = {
enable = true;
decrypt = true;
source = "*:8022";
target = "127.0.0.1:22";
keyFile = config.age.secrets.ssh8022.path;
};
services.openssh = { services.openssh = {
enable = true; enable = true;
settings = { settings = {
@ -14,13 +22,20 @@
}; };
}; };
programs.mosh.enable = true; programs.mosh.enable = true;
programs.ssh.knownHosts = programs.ssh = {
let knownHosts =
sshAttrs = lib.genAttrs [ let
"extraHostNames" sshAttrs = lib.genAttrs [
"publicKey" "extraHostNames"
] (_: null); "publicKey"
in ] (_: null);
lib.mapAttrs (_name: builtins.intersectAttrs sshAttrs) myData.hosts; in
lib.mapAttrs (_name: builtins.intersectAttrs sshAttrs) myData.hosts;
extraConfig = ''
Host dl.jakstys.lt
ProxyCommand ${pkgs.spiped}/bin/spipe -t %h:8022 -k ${config.age.secrets.ssh8022.path}
'';
};
networking.firewall.allowedTCPPorts = [ myData.ports.ssh8022 ];
}; };
} }

21
secrets/ssh8022.age Normal file
View File

@ -0,0 +1,21 @@
age-encryption.org/v1
-> ssh-ed25519 2jMHjA LwcWJJsE+Bxp8jh8SEBWP9uvCzSZmoZS4ZMl9uJMPAI
fep9NQNMXRWMzr1aMxEoyBxDrtoEseiOYIASvbwqWzE
-> ssh-ed25519 lDWJbA gTK00r+NKJ8gH95x6S1hztsfXFRSFIRY9iE4JhXO2w0
gkzvdNWKhmivbvMBXcHjK45YS5LS/to6CxavhTvdMQ8
-> ssh-ed25519 CBqt6Q 4T7LQ/OiH9TCN32Ts6R27iQUua7CZI8mSzB0Ug8vXwY
wfNRUMgA4QhBaRk1NDHxowS5xw7mdDjYGqsqMEJhNCw
-> ssh-ed25519 fqSa6A h1xUFF4cbMu0WroXtf0SHQWGb/hiqgveE0yawoPjvy4
RJLxwdrgrfyzVYYpwAiI6VH0vx+pcL57JWZwL/FttEE
-> ssh-ed25519 9Chcgw lqtnkWmVgqjQHFDakzOaJMEIY0Y3bRXTzIilNFWmSSk
nOEDJ7rFyfs2Bmt6LDAJ2ebsGuTSA4ukqgJRnSPi8yw
-> X25519 mp/GibjENvRmB/LTqx9wxAr/Ud96Ay/xebYxuJc+9Fg
iEUgyYZRWGjYc9jXLbrwpMlRn80xo2QX3uKyrs3gUb8
-> X25519 ssEKm23YzhCwEru9uAvJusZgXhzLNMBpPyOfI2dMRRw
BmFN6tRXLGPnX9STBspq6lJRU3iWCdB8G05cS51VLX4
-> piv-p256 +y2G/w A6zPbX9nW+T1aGKpcsi8dqVR6/STS4Fk9fW/AxcppdJC
AVAi2EU7Vs/2pnIjP3MmMtZaKMHMlSz6fKfa7hdMrSw
-> piv-p256 jNqd3A AibOWW5KGacF2bXaHn95WyczuWWfAu+VJS48blfTfDD8
ir1xhw2j5DUMeff2rUxmqrMWSD6ueKP2BdxB4eKCtlQ
--- EidnuJylAMuaYDBsFOkNCsLNkoTtIxuBz49EK0k3mNo
÷˜Šfe<EFBFBD>0ÛšË]ufÃq5AýÙéiO">7BÙ¾9®#É×[Œ™*cŸ÷Ô»è´CÁl‰û<E280B0>¦ó