modules/openssh.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112

{
  config,
  options,
  lib,
  pkgs,
  ...
}:
let
  cfg = config.nixfiles.modules.openssh;
in
{
  options.nixfiles.modules.openssh = {
    client.enable = lib.mkEnableOption "OpenSSH client";

    server = {
      enable = lib.mkEnableOption "OpenSSH server";

      ports = lib.mkOption {
        description = "Ports.";
        inherit (options.services.openssh.ports) type;
        default = [ 22022 ]; # Port 22 should be occupied by a tarpit by default.
      };
    };
  };

  config = lib.mkMerge [
    (lib.mkIf cfg.client.enable {
      hm = {
        home.packages = with pkgs; [
          mosh
          sshfs
          sshpass
        ];

        programs.ssh = {
          enable = true;

          hashKnownHosts = true;

          controlMaster = "auto";
          controlPersist = "15m";
          controlPath = "${config.my.home}/.ssh/S.%r@%n:%p";

          serverAliveCountMax = 30;
          serverAliveInterval = 60;

          matchBlocks =
            let
              internalServers =
                lib.my.configurations
                |> lib.filterAttrs (_: attr: lib.hasAttr "wireguard" attr)
                |> lib.mapAttrs (
                  name: _: {
                    hostname = "${name}.${lib.my.domain.shire}";
                  }
                );
            in
            {
              gitolite = {
                user = "git";
                hostname = "git.${lib.my.domain.shire}";
              };
            }
            |> lib.recursiveUpdate internalServers
            |> lib.mapAttrs' (
              name:
              {
                hostname ? name,
                port ? 22022,
                user ? lib.my.username,
              }:
              lib.nameValuePair name {
                inherit
                  hostname
                  port
                  user
                  ;
                forwardAgent = true;
              }
            );
        };
      };
    })
    (lib.mkIf cfg.server.enable {
      ark.files = [
        "/etc/ssh/ssh_host_ed25519_key"
        "/etc/ssh/ssh_host_ed25519_key.pub"
        "/etc/ssh/ssh_host_rsa_key"
        "/etc/ssh/ssh_host_rsa_key.pub"
      ];

      programs.mosh.enable = true;

      services = {
        openssh = {
          enable = true;
          inherit (cfg.server) ports;
          settings = {
            PasswordAuthentication = false;
            PermitRootLogin = "no";
            StreamLocalBindUnlink = true;
          };
        };

        fail2ban.jails.sshd = {
          enabled = true;
          settings.mode = "aggressive";
        };
      };
    })
  ];
}