From b86fa030eca47834901d2d44d1b3edc601cbab3c Mon Sep 17 00:00:00 2001
From: madmin <madmin@noreply.codeberg.org>
Date: Fri, 9 Aug 2024 10:53:24 +0200
Subject: [PATCH] feat(systems/optional/services; vars): add vars/networking,
 add openssh

---
 systems/common/optional/services/openssh.nix | 42 ++++++++++++++++++++
 vars/default.nix                             |  4 +-
 vars/networking.nix                          |  4 +-
 3 files changed, 48 insertions(+), 2 deletions(-)
 create mode 100644 systems/common/optional/services/openssh.nix

diff --git a/systems/common/optional/services/openssh.nix b/systems/common/optional/services/openssh.nix
new file mode 100644
index 0000000..29bb75f
--- /dev/null
+++ b/systems/common/optional/services/openssh.nix
@@ -0,0 +1,42 @@
+{ lib, config, configVars, ... }:
+let
+  sshPort = configVars.networking.sshPort;
+
+  # Sops needs access to the keys before the persist dirs are even mounted; so
+  # just persisting the keys won't work, we must point at /persist
+  hasOptinPersistence = false;
+in
+
+{
+  services.openssh = {
+    enable = true;
+    ports = [ sshPort ];
+
+    settings = {
+      # Harden
+      PasswordAuthentication = false;
+      PermitRootLogin = "no";
+      # Automatically remove stale sockets
+      StreamLocalBindUnlink = "yes";
+      # Allow forwarding ports to everywhere
+      GatewayPorts = "clientspecified";
+    };
+
+    hostKeys = [{
+      path = "${lib.optionalString hasOptinPersistence "/persist"}/etc/ssh/ssh_host_ed25519_key";
+      type = "ed25519";
+    }];
+    # Fix LPE vulnerability with sudo use SSH_AUTH_SOCK: https://github.com/NixOS/nixpkgs/issues/31611
+    authorizedKeysFiles = lib.mkForce [ "/etc/ssh/authorized_keys.d/%u" ];
+  };
+  # yubikey login / sudo
+  # this potentially causes a security issue that we mitigated above
+  security.pam = {
+    sshAgentAuth.enable = true;
+    services = {
+      sudo.u2fAuth = true;
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ sshPort ];
+}
diff --git a/vars/default.nix b/vars/default.nix
index 1c87139..9e2973b 100644
--- a/vars/default.nix
+++ b/vars/default.nix
@@ -1,9 +1,11 @@
 { inputs, lib }:
 {
+  networking = import ./networking.nix { inherit lib; };
+  
   username = "laozi";
   #domain = inputs.nix-secrets.domain;
   #userFullName = inputs.nix-secrets.full-name;
-  #handle = "madmin";
+  handle = "madmin";
   #userEmail = inputs.nix-secrets.user-email;
   #gitEmail = "madmin@noreply.codeberg.org";
   #workEmail = inputs.nix-secrets.work-email;
diff --git a/vars/networking.nix b/vars/networking.nix
index 4b42ce7..88ea9e7 100644
--- a/vars/networking.nix
+++ b/vars/networking.nix
@@ -1,2 +1,4 @@
 { ... }:
-{}
+{
+  sshPort = 22;
+}