Sovran_Systems/Sovran_SystemsOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add remote deployment mode (remote-deploy.nix, headless installer, ISO SSH/mDNS)

Browse Source 
Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/8e2ed0be-2db9-4437-81d7-c6efec45d6db

Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-04-11 22:27:55 +00:00
committed by GitHub
parent 357624193b
commit 6fc66ba13f
4 changed files with 392 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

117
modules/core/remote-deploy.nix Normal file
View File

@@ -0,0 +1,117 @@
{ config, lib, pkgs, ... }:
let
cfg = config.sovran_systemsOS.deploy;
in
{
options.sovran_systemsOS.deploy = {
enable = lib.mkEnableOption "Remote deploy mode";
relayHost = lib.mkOption {
type = lib.types.str;
default = "";
description = "SSH relay server hostname or IP for the reverse tunnel";
};
relayPort = lib.mkOption {
type = lib.types.port;
default = 22;
description = "SSH port on the relay server";
};
relayUser = lib.mkOption {
type = lib.types.str;
default = "deploy";
description = "Username on the relay server";
};
reverseTunnelPort = lib.mkOption {
type = lib.types.port;
default = 2222;
description = "Port on the relay that maps back to this machine's SSH (port 22)";
};
authorizedKey = lib.mkOption {
type = lib.types.str;
default = "";
description = "Deployer's SSH public key for root access";
};
};
config = lib.mkIf cfg.enable {
# ── Force SSH open on all interfaces ────────────────────────────────────
services.openssh = {
enable = true;
listenAddresses = lib.mkForce [
{ addr = "0.0.0.0"; port = 22; }
{ addr = "127.0.0.1"; port = 22; }
];
settings = {
PermitRootLogin = lib.mkForce "prohibit-password";
PasswordAuthentication = lib.mkForce false;
};
};
networking.firewall.allowedTCPPorts = [ 22 ];
# ── Inject deployer's SSH public key into root's authorized keys ─────────
users.users.root.openssh.authorizedKeys.keys =
lib.mkIf (cfg.authorizedKey != "") [ cfg.authorizedKey ];
# ── Force RDP on ─────────────────────────────────────────────────────────
sovran_systemsOS.features.rdp = lib.mkForce true;
# ── Enable Fail2Ban for SSH protection ───────────────────────────────────
services.fail2ban = {
enable = true;
ignoreIP = [ "127.0.0.0/8" ];
};
# ── Reverse tunnel service (only when relayHost is configured) ───────────
systemd.services.deploy-reverse-tunnel = lib.mkIf (cfg.relayHost != "") {
description = "Deploy reverse SSH tunnel to ${cfg.relayHost}";
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" "sshd.service" ];
wants = [ "network-online.target" ];
serviceConfig = {
Restart = "always";
RestartSec = "10s";
ExecStart = "${pkgs.openssh}/bin/ssh"
+ " -o StrictHostKeyChecking=accept-new"
+ " -o ServerAliveInterval=30"
+ " -o ServerAliveCountMax=3"
+ " -o ExitOnForwardFailure=yes"
+ " -i /var/lib/secrets/deploy-relay-key"
+ " -N"
+ " -R ${toString cfg.reverseTunnelPort}:localhost:22"
+ " -p ${toString cfg.relayPort}"
+ " ${cfg.relayUser}@${cfg.relayHost}";
};
path = [ pkgs.openssh ];
};
# ── Safety auto-expiry service ────────────────────────────────────────────
systemd.services.deploy-auto-expire = {
description = "Auto-expire remote deploy mode after 48 hours";
wantedBy = [ "multi-user.target" ];
after = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = false;
};
script = ''
# 48 hours = 172800 seconds
sleep $((48 * 60 * 60))
systemctl stop deploy-reverse-tunnel || true
mkdir -p /etc/sovran
echo "expired" > /etc/sovran/deploy-mode
'';
path = [ pkgs.coreutils ];
};
# ── Deploy-mode indicator file ────────────────────────────────────────────
environment.etc."sovran/deploy-mode".text = "active";
};
}