tmate: add tmate ssh server service

2022-06-22 15:41:37 +10:00 · 2022-06-22 15:41:37 +10:00 · 5dcefef47f
parent d63fcba56c
commit 5dcefef47f
2 changed files with 117 additions and 1 deletions
--- a/hosts/cuallaidh.nix
+++ b/hosts/cuallaidh.nix
@ -6,6 +6,7 @@
  ...
 }: {
  imports = [
+    ../modules/tmate-ssh-server.nix
    ../networks/linode.nix
    ../profiles/coturn.nix
    ../profiles/cryptpad.nix
@ -20,7 +21,6 @@
    ../profiles/nextcloud.nix
    ../profiles/nixpkgs-dev.nix
    ../profiles/taskserver.nix
-    #../profiles/tmate-ssh-server.nix
    ../profiles/tt-rss.nix
    ../secrets/gitea.nix
    ../secrets/tt-rss.nix
@ -36,5 +36,11 @@
    }
  ];

+  services.tmate = {
+    enable = true;
+    openFirewall = true;
+    sshHostname = "tmate.mcwhirter.io";
+  };
+
  system.stateVersion = "19.03"; # The version of NixOS originally installed
 }
--- a/modules/tmate-ssh-server.nix
+++ b/modules/tmate-ssh-server.nix
@ -0,0 +1,110 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+# CVE-2021-44512: fixed in master branch
+# CVE-2021-44513: fixed in master branch
+# Introduces compatability with tmate client in NixOS
+#
+# TODO:
+# Add options for all the variables
+# Configure websockets
+# Deploy web UI from tmate-master repo
+with lib; let
+  tmate-ssh-server = pkgs.tmate-ssh-server.overrideAttrs (
+    old: {
+      src = pkgs.fetchFromGitHub {
+        owner = "tmate-io";
+        repo = "tmate-ssh-server";
+        rev = "1f314123df2bb29cb07427ed8663a81c8d9034fd";
+        sha256 = "sha256-9/xlMvtkNWUBRYYnJx20qEgtEcjagH2NtEKZcDOM1BY=";
+      };
+      version = "master";
+    }
+  );
+  cfg = config.services.tmate;
+in {
+  options.services.tmate = {
+    enable = mkEnableOption "tmate service";
+    sshHostname = mkOption {
+      type = types.str;
+      default = "localhost";
+      description = ''
+        configures the SSH hostname to advertise to tmate hosts
+      '';
+    };
+    sshPortListen = mkOption {
+      type = types.port;
+      default = 2200;
+      description = ''
+        port on which the SSH server should listen
+      '';
+    };
+    sshKeysPath = mkOption {
+      type = types.str;
+      default = "${cfg.tmateHome}/keys";
+      description = ''
+        path where the ssh keys are located (mandatory)
+      '';
+    };
+    openFirewall = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        fix me
+      '';
+    };
+    tmateHome = mkOption {
+      type = types.str;
+      default = "/var/lib/tmate";
+      description = ''
+        tmate service working directory
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    networking.firewall = {
+      allowedTCPPorts = mkIf cfg.openFirewall [
+        cfg.sshPortListen
+      ];
+    };
+    systemd.services.tmate = {
+      path = [pkgs.openssh];
+      preStart = ''
+        gen_key() {
+          keytype=$1
+          ks=$keytype"_"
+          key="${cfg.sshKeysPath}/ssh_host_"$ks"key"
+          if [ ! -e $key ] ; then
+            ssh-keygen -t $keytype -f $key -N ""
+            echo ""
+          fi
+          SIG=$(ssh-keygen -l -E SHA256 -f "$key.pub" | cut -d ' ' -f 2)
+        }
+
+        mkdir -p '${cfg.sshKeysPath}'
+        gen_key rsa
+        RSA_SIG=$SIG
+        gen_key ed25519
+        ED25519_SIG=$SIG
+
+        {
+        echo "set -g tmate-server-host ${cfg.sshHostname}"
+        echo "set -g tmate-server-port ${toString cfg.sshPortListen}"
+        echo "set -g tmate-server-rsa-fingerprint $RSA_SIG"
+        echo "set -g tmate-server-ed25519-fingerprint $ED25519_SIG"
+        } > '${cfg.tmateHome}/tmate.conf'
+        echo 'Copy ${cfg.tmateHome}/tmate.conf to ~/.tmate.conf to connect clients to this server'
+      '';
+      wants = ["network-online.target"];
+      wantedBy = ["multi-user.target"];
+      serviceConfig = {
+        ExecStart = "${tmate-ssh-server}/bin/tmate-ssh-server -k ${cfg.sshKeysPath} -p ${toString cfg.sshPortListen} -h ${cfg.sshHostname}";
+        WorkingDirectory = cfg.tmateHome;
+      };
+    };
+  };
+}