reciproka-ops/modules/tmate-ssh-server.nix

{
  lib,
  pkgs,
  config,
  ...
}:
# CVE-2021-44512: fixed in master branch
# CVE-2021-44513: fixed in master branch
# Introduces compatability with tmate client in NixOS
#
# TODO:
# Add options for all the variables
# Configure websockets
# Deploy web UI from tmate-master repo
with lib; let
  tmate-ssh-server = pkgs.tmate-ssh-server.overrideAttrs (
    old: {
      src = pkgs.fetchFromGitHub {
        owner = "tmate-io";
        repo = "tmate-ssh-server";
        rev = "1f314123df2bb29cb07427ed8663a81c8d9034fd";
        sha256 = "sha256-9/xlMvtkNWUBRYYnJx20qEgtEcjagH2NtEKZcDOM1BY=";
      };
      version = "master";
    }
  );
  cfg = config.services.tmate;
in {
  options.services.tmate = {
    enable = mkEnableOption "tmate service";
    sshHostname = mkOption {
      type = types.str;
      default = "localhost";
      description = ''
        configures the SSH hostname to advertise to tmate hosts
      '';
    };
    sshPortListen = mkOption {
      type = types.port;
      default = 2200;
      description = ''
        port on which the SSH server should listen
      '';
    };
    sshKeysPath = mkOption {
      type = types.str;
      default = "${cfg.dataDir}/keys";
      description = ''
        path where the ssh keys are located (mandatory)
      '';
    };
    openFirewall = mkOption {
      type = types.bool;
      default = false;
      description = ''
        fix me
      '';
    };
    dataDir = mkOption {
      type = types.str;
      default = "/var/lib/tmate";
      example = "/var/lib/tmate";
      description = ''
        tmate service working directory
      '';
    };
    user = mkOption {
      type = types.str;
      default = "root";
      description = ''
        User account under which the tmate service runs
      '';
    };
    group = mkOption {
      type = types.str;
      default = "root";
      description = ''
        Group under which the tmate service runs.
      '';
    };
  };

  config = mkIf cfg.enable {
    networking.firewall = {
      allowedTCPPorts = mkIf cfg.openFirewall [
        cfg.sshPortListen
      ];
    };
    systemd.services.tmate = {
      path = [pkgs.openssh];
      #execStart = ''
      #  mkdir -p '${cfg.sshKeysPath}'
      #  chmod 0600 '${cfg.dataDir}'
      #'';
      preStart = ''
        gen_key() {
          keytype=$1
          ks=$keytype"_"
          key="${cfg.sshKeysPath}/ssh_host_"$ks"key"
          if [ ! -e $key ] ; then
            ssh-keygen -t $keytype -f $key -N ""
            echo ""
          fi
          SIG=$(ssh-keygen -l -E SHA256 -f "$key.pub" | cut -d ' ' -f 2)
        }

        mkdir -p '${cfg.sshKeysPath}'
        gen_key rsa
        RSA_SIG=$SIG
        gen_key ed25519
        ED25519_SIG=$SIG

        {
        echo "set -g tmate-server-host ${cfg.sshHostname}"
        echo "set -g tmate-server-port ${toString cfg.sshPortListen}"
        echo "set -g tmate-server-rsa-fingerprint $RSA_SIG"
        echo "set -g tmate-server-ed25519-fingerprint $ED25519_SIG"
        } > '${cfg.dataDir}/tmate.conf'
        echo 'Copy ${cfg.dataDir}/tmate.conf to ~/.tmate.conf to connect clients to this server'
      '';
      wants = ["network-online.target"];
      wantedBy = ["multi-user.target"];
      serviceConfig = {
        ExecStart = "${tmate-ssh-server}/bin/tmate-ssh-server -k ${cfg.sshKeysPath} -p ${toString cfg.sshPortListen} -h ${cfg.sshHostname}";
        WorkingDirectory = cfg.dataDir;
        User = cfg.user;
        Group = cfg.group;
      };
    };
    users = {
      users.tmate = {
        description = "tmate service";
        group = "tmate";
        isSystemUser = true;
        home = "${cfg.dataDir}";
        createHome = true;
      };
      groups = {
        tmate = {};
      };
    };
    nixpkgs.config.permittedInsecurePackages = [
      "tmate-ssh-server-master"
    ];
  };
}
tmux: initial deployment 2022-07-18 05:48:51 +00:00			`{`
			`lib,`
			`pkgs,`
			`config,`
			`...`
			`}:`
			`# CVE-2021-44512: fixed in master branch`
			`# CVE-2021-44513: fixed in master branch`
			`# Introduces compatability with tmate client in NixOS`
			`#`
			`# TODO:`
			`# Add options for all the variables`
			`# Configure websockets`
			`# Deploy web UI from tmate-master repo`
			`with lib; let`
			`tmate-ssh-server = pkgs.tmate-ssh-server.overrideAttrs (`
			`old: {`
			`src = pkgs.fetchFromGitHub {`
			`owner = "tmate-io";`
			`repo = "tmate-ssh-server";`
			`rev = "1f314123df2bb29cb07427ed8663a81c8d9034fd";`
			`sha256 = "sha256-9/xlMvtkNWUBRYYnJx20qEgtEcjagH2NtEKZcDOM1BY=";`
			`};`
			`version = "master";`
			`}`
			`);`
			`cfg = config.services.tmate;`
			`in {`
			`options.services.tmate = {`
			`enable = mkEnableOption "tmate service";`
			`sshHostname = mkOption {`
			`type = types.str;`
			`default = "localhost";`
			`description = ''`
			`configures the SSH hostname to advertise to tmate hosts`
			`'';`
			`};`
			`sshPortListen = mkOption {`
			`type = types.port;`
			`default = 2200;`
			`description = ''`
			`port on which the SSH server should listen`
			`'';`
			`};`
			`sshKeysPath = mkOption {`
			`type = types.str;`
			`default = "${cfg.dataDir}/keys";`
			`description = ''`
			`path where the ssh keys are located (mandatory)`
			`'';`
			`};`
			`openFirewall = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = ''`
			`fix me`
			`'';`
			`};`
			`dataDir = mkOption {`
			`type = types.str;`
			`default = "/var/lib/tmate";`
			`example = "/var/lib/tmate";`
			`description = ''`
			`tmate service working directory`
			`'';`
			`};`
			`user = mkOption {`
			`type = types.str;`
			`default = "root";`
			`description = ''`
			`User account under which the tmate service runs`
			`'';`
			`};`
			`group = mkOption {`
			`type = types.str;`
			`default = "root";`
			`description = ''`
			`Group under which the tmate service runs.`
			`'';`
			`};`
			`};`

			`config = mkIf cfg.enable {`
			`networking.firewall = {`
			`allowedTCPPorts = mkIf cfg.openFirewall [`
			`cfg.sshPortListen`
			`];`
			`};`
			`systemd.services.tmate = {`
			`path = [pkgs.openssh];`
			`#execStart = ''`
			`# mkdir -p '${cfg.sshKeysPath}'`
			`# chmod 0600 '${cfg.dataDir}'`
			`#'';`
			`preStart = ''`
			`gen_key() {`
			`keytype=$1`
			`ks=$keytype"_"`
			`key="${cfg.sshKeysPath}/ssh_host_"$ks"key"`
			`if [ ! -e $key ] ; then`
			`ssh-keygen -t $keytype -f $key -N ""`
			`echo ""`
			`fi`
			`SIG=$(ssh-keygen -l -E SHA256 -f "$key.pub" \| cut -d ' ' -f 2)`
			`}`

			`mkdir -p '${cfg.sshKeysPath}'`
			`gen_key rsa`
			`RSA_SIG=$SIG`
			`gen_key ed25519`
			`ED25519_SIG=$SIG`

			`{`
			`echo "set -g tmate-server-host ${cfg.sshHostname}"`
			`echo "set -g tmate-server-port ${toString cfg.sshPortListen}"`
			`echo "set -g tmate-server-rsa-fingerprint $RSA_SIG"`
			`echo "set -g tmate-server-ed25519-fingerprint $ED25519_SIG"`
			`} > '${cfg.dataDir}/tmate.conf'`
			`echo 'Copy ${cfg.dataDir}/tmate.conf to ~/.tmate.conf to connect clients to this server'`
			`'';`
			`wants = ["network-online.target"];`
			`wantedBy = ["multi-user.target"];`
			`serviceConfig = {`
			`ExecStart = "${tmate-ssh-server}/bin/tmate-ssh-server -k ${cfg.sshKeysPath} -p ${toString cfg.sshPortListen} -h ${cfg.sshHostname}";`
			`WorkingDirectory = cfg.dataDir;`
			`User = cfg.user;`
			`Group = cfg.group;`
			`};`
			`};`
			`users = {`
			`users.tmate = {`
			`description = "tmate service";`
			`group = "tmate";`
			`isSystemUser = true;`
			`home = "${cfg.dataDir}";`
			`createHome = true;`
			`};`
			`groups = {`
			`tmate = {};`
			`};`
			`};`
			`nixpkgs.config.permittedInsecurePackages = [`
			`"tmate-ssh-server-master"`
			`];`
			`};`
			`}`