6fc66ba13f
Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/8e2ed0be-2db9-4437-81d7-c6efec45d6db Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com>
118 lines
4.1 KiB
Nix
118 lines
4.1 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
let
|
|
cfg = config.sovran_systemsOS.deploy;
|
|
in
|
|
|
|
{
|
|
options.sovran_systemsOS.deploy = {
|
|
enable = lib.mkEnableOption "Remote deploy mode";
|
|
|
|
relayHost = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "";
|
|
description = "SSH relay server hostname or IP for the reverse tunnel";
|
|
};
|
|
|
|
relayPort = lib.mkOption {
|
|
type = lib.types.port;
|
|
default = 22;
|
|
description = "SSH port on the relay server";
|
|
};
|
|
|
|
relayUser = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "deploy";
|
|
description = "Username on the relay server";
|
|
};
|
|
|
|
reverseTunnelPort = lib.mkOption {
|
|
type = lib.types.port;
|
|
default = 2222;
|
|
description = "Port on the relay that maps back to this machine's SSH (port 22)";
|
|
};
|
|
|
|
authorizedKey = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "";
|
|
description = "Deployer's SSH public key for root access";
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
|
|
# ── Force SSH open on all interfaces ────────────────────────────────────
|
|
services.openssh = {
|
|
enable = true;
|
|
listenAddresses = lib.mkForce [
|
|
{ addr = "0.0.0.0"; port = 22; }
|
|
{ addr = "127.0.0.1"; port = 22; }
|
|
];
|
|
settings = {
|
|
PermitRootLogin = lib.mkForce "prohibit-password";
|
|
PasswordAuthentication = lib.mkForce false;
|
|
};
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [ 22 ];
|
|
|
|
# ── Inject deployer's SSH public key into root's authorized keys ─────────
|
|
users.users.root.openssh.authorizedKeys.keys =
|
|
lib.mkIf (cfg.authorizedKey != "") [ cfg.authorizedKey ];
|
|
|
|
# ── Force RDP on ─────────────────────────────────────────────────────────
|
|
sovran_systemsOS.features.rdp = lib.mkForce true;
|
|
|
|
# ── Enable Fail2Ban for SSH protection ───────────────────────────────────
|
|
services.fail2ban = {
|
|
enable = true;
|
|
ignoreIP = [ "127.0.0.0/8" ];
|
|
};
|
|
|
|
# ── Reverse tunnel service (only when relayHost is configured) ───────────
|
|
systemd.services.deploy-reverse-tunnel = lib.mkIf (cfg.relayHost != "") {
|
|
description = "Deploy reverse SSH tunnel to ${cfg.relayHost}";
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "network-online.target" "sshd.service" ];
|
|
wants = [ "network-online.target" ];
|
|
serviceConfig = {
|
|
Restart = "always";
|
|
RestartSec = "10s";
|
|
ExecStart = "${pkgs.openssh}/bin/ssh"
|
|
+ " -o StrictHostKeyChecking=accept-new"
|
|
+ " -o ServerAliveInterval=30"
|
|
+ " -o ServerAliveCountMax=3"
|
|
+ " -o ExitOnForwardFailure=yes"
|
|
+ " -i /var/lib/secrets/deploy-relay-key"
|
|
+ " -N"
|
|
+ " -R ${toString cfg.reverseTunnelPort}:localhost:22"
|
|
+ " -p ${toString cfg.relayPort}"
|
|
+ " ${cfg.relayUser}@${cfg.relayHost}";
|
|
};
|
|
path = [ pkgs.openssh ];
|
|
};
|
|
|
|
# ── Safety auto-expiry service ────────────────────────────────────────────
|
|
systemd.services.deploy-auto-expire = {
|
|
description = "Auto-expire remote deploy mode after 48 hours";
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "multi-user.target" ];
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
RemainAfterExit = false;
|
|
};
|
|
script = ''
|
|
# 48 hours = 172800 seconds
|
|
sleep $((48 * 60 * 60))
|
|
systemctl stop deploy-reverse-tunnel || true
|
|
mkdir -p /etc/sovran
|
|
echo "expired" > /etc/sovran/deploy-mode
|
|
'';
|
|
path = [ pkgs.coreutils ];
|
|
};
|
|
|
|
# ── Deploy-mode indicator file ────────────────────────────────────────────
|
|
environment.etc."sovran/deploy-mode".text = "active";
|
|
};
|
|
}
|