reciproka-ops/modules/tmate-ssh-server.nix

147 lines
3.8 KiB
Nix
Raw Normal View History

2022-07-18 05:48:51 +00:00
{
lib,
pkgs,
config,
...
}:
# CVE-2021-44512: fixed in master branch
# CVE-2021-44513: fixed in master branch
# Introduces compatability with tmate client in NixOS
#
# TODO:
# Add options for all the variables
# Configure websockets
# Deploy web UI from tmate-master repo
with lib; let
tmate-ssh-server = pkgs.tmate-ssh-server.overrideAttrs (
old: {
src = pkgs.fetchFromGitHub {
owner = "tmate-io";
repo = "tmate-ssh-server";
rev = "1f314123df2bb29cb07427ed8663a81c8d9034fd";
sha256 = "sha256-9/xlMvtkNWUBRYYnJx20qEgtEcjagH2NtEKZcDOM1BY=";
};
version = "master";
}
);
cfg = config.services.tmate;
in {
options.services.tmate = {
enable = mkEnableOption "tmate service";
sshHostname = mkOption {
type = types.str;
default = "localhost";
description = ''
configures the SSH hostname to advertise to tmate hosts
'';
};
sshPortListen = mkOption {
type = types.port;
default = 2200;
description = ''
port on which the SSH server should listen
'';
};
sshKeysPath = mkOption {
type = types.str;
default = "${cfg.dataDir}/keys";
description = ''
path where the ssh keys are located (mandatory)
'';
};
openFirewall = mkOption {
type = types.bool;
default = false;
description = ''
fix me
'';
};
dataDir = mkOption {
type = types.str;
default = "/var/lib/tmate";
example = "/var/lib/tmate";
description = ''
tmate service working directory
'';
};
user = mkOption {
type = types.str;
default = "root";
description = ''
User account under which the tmate service runs
'';
};
group = mkOption {
type = types.str;
default = "root";
description = ''
Group under which the tmate service runs.
'';
};
};
config = mkIf cfg.enable {
networking.firewall = {
allowedTCPPorts = mkIf cfg.openFirewall [
cfg.sshPortListen
];
};
systemd.services.tmate = {
path = [pkgs.openssh];
#execStart = ''
# mkdir -p '${cfg.sshKeysPath}'
# chmod 0600 '${cfg.dataDir}'
#'';
preStart = ''
gen_key() {
keytype=$1
ks=$keytype"_"
key="${cfg.sshKeysPath}/ssh_host_"$ks"key"
if [ ! -e $key ] ; then
ssh-keygen -t $keytype -f $key -N ""
echo ""
fi
SIG=$(ssh-keygen -l -E SHA256 -f "$key.pub" | cut -d ' ' -f 2)
}
mkdir -p '${cfg.sshKeysPath}'
gen_key rsa
RSA_SIG=$SIG
gen_key ed25519
ED25519_SIG=$SIG
{
echo "set -g tmate-server-host ${cfg.sshHostname}"
echo "set -g tmate-server-port ${toString cfg.sshPortListen}"
echo "set -g tmate-server-rsa-fingerprint $RSA_SIG"
echo "set -g tmate-server-ed25519-fingerprint $ED25519_SIG"
} > '${cfg.dataDir}/tmate.conf'
echo 'Copy ${cfg.dataDir}/tmate.conf to ~/.tmate.conf to connect clients to this server'
'';
wants = ["network-online.target"];
wantedBy = ["multi-user.target"];
serviceConfig = {
ExecStart = "${tmate-ssh-server}/bin/tmate-ssh-server -k ${cfg.sshKeysPath} -p ${toString cfg.sshPortListen} -h ${cfg.sshHostname}";
WorkingDirectory = cfg.dataDir;
User = cfg.user;
Group = cfg.group;
};
};
users = {
users.tmate = {
description = "tmate service";
group = "tmate";
isSystemUser = true;
home = "${cfg.dataDir}";
createHome = true;
};
groups = {
tmate = {};
};
};
nixpkgs.config.permittedInsecurePackages = [
"tmate-ssh-server-master"
];
};
}