feat(systems/optional/services; vars): add vars/networking, add openssh

systems/common/optional/services/openssh.nix

@@ -0,0 +1,42 @@
+{ lib, config, configVars, ... }:
+let
+  sshPort = configVars.networking.sshPort;
+
+  # Sops needs access to the keys before the persist dirs are even mounted; so
+  # just persisting the keys won't work, we must point at /persist
+  hasOptinPersistence = false;
+in
+
+{
+  services.openssh = {
+    enable = true;
+    ports = [ sshPort ];
+
+    settings = {
+      # Harden
+      PasswordAuthentication = false;
+      PermitRootLogin = "no";
+      # Automatically remove stale sockets
+      StreamLocalBindUnlink = "yes";
+      # Allow forwarding ports to everywhere
+      GatewayPorts = "clientspecified";
+    };
+
+    hostKeys = [{
+      path = "${lib.optionalString hasOptinPersistence "/persist"}/etc/ssh/ssh_host_ed25519_key";
+      type = "ed25519";
+    }];
+    # Fix LPE vulnerability with sudo use SSH_AUTH_SOCK: https://github.com/NixOS/nixpkgs/issues/31611
+    authorizedKeysFiles = lib.mkForce [ "/etc/ssh/authorized_keys.d/%u" ];
+  };
+  # yubikey login / sudo
+  # this potentially causes a security issue that we mitigated above
+  security.pam = {
+    sshAgentAuth.enable = true;
+    services = {
+      sudo.u2fAuth = true;
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ sshPort ];
+}

vars/default.nix

@@ -1,9 +1,11 @@
 { inputs, lib }:
 {
+  networking = import ./networking.nix { inherit lib; };
+  
   username = "laozi";
   #domain = inputs.nix-secrets.domain;
   #userFullName = inputs.nix-secrets.full-name;
-  #handle = "madmin";
+  handle = "madmin";
   #userEmail = inputs.nix-secrets.user-email;
   #gitEmail = "madmin@noreply.codeberg.org";
   #workEmail = inputs.nix-secrets.work-email;

vars/networking.nix

@@ -1,2 +1,4 @@
 { ... }:
-{}
+{
+  sshPort = 22;
+}