From 5dcefef47f5f694adf508796f33cb9907f883a81 Mon Sep 17 00:00:00 2001 From: Craige McWhirter Date: Wed, 22 Jun 2022 15:41:37 +1000 Subject: [PATCH] tmate: add tmate ssh server service --- hosts/cuallaidh.nix | 8 ++- modules/tmate-ssh-server.nix | 110 +++++++++++++++++++++++++++++++++++ 2 files changed, 117 insertions(+), 1 deletion(-) create mode 100644 modules/tmate-ssh-server.nix diff --git a/hosts/cuallaidh.nix b/hosts/cuallaidh.nix index f185820..137ce2c 100644 --- a/hosts/cuallaidh.nix +++ b/hosts/cuallaidh.nix @@ -6,6 +6,7 @@ ... }: { imports = [ + ../modules/tmate-ssh-server.nix ../networks/linode.nix ../profiles/coturn.nix ../profiles/cryptpad.nix @@ -20,7 +21,6 @@ ../profiles/nextcloud.nix ../profiles/nixpkgs-dev.nix ../profiles/taskserver.nix - #../profiles/tmate-ssh-server.nix ../profiles/tt-rss.nix ../secrets/gitea.nix ../secrets/tt-rss.nix @@ -36,5 +36,11 @@ } ]; + services.tmate = { + enable = true; + openFirewall = true; + sshHostname = "tmate.mcwhirter.io"; + }; + system.stateVersion = "19.03"; # The version of NixOS originally installed } diff --git a/modules/tmate-ssh-server.nix b/modules/tmate-ssh-server.nix new file mode 100644 index 0000000..2d8c997 --- /dev/null +++ b/modules/tmate-ssh-server.nix @@ -0,0 +1,110 @@ +{ + lib, + pkgs, + config, + ... +}: +# CVE-2021-44512: fixed in master branch +# CVE-2021-44513: fixed in master branch +# Introduces compatability with tmate client in NixOS +# +# TODO: +# Add options for all the variables +# Configure websockets +# Deploy web UI from tmate-master repo +with lib; let + tmate-ssh-server = pkgs.tmate-ssh-server.overrideAttrs ( + old: { + src = pkgs.fetchFromGitHub { + owner = "tmate-io"; + repo = "tmate-ssh-server"; + rev = "1f314123df2bb29cb07427ed8663a81c8d9034fd"; + sha256 = "sha256-9/xlMvtkNWUBRYYnJx20qEgtEcjagH2NtEKZcDOM1BY="; + }; + version = "master"; + } + ); + cfg = config.services.tmate; +in { + options.services.tmate = { + enable = mkEnableOption "tmate service"; + sshHostname = mkOption { + type = types.str; + default = "localhost"; + description = '' + configures the SSH hostname to advertise to tmate hosts + ''; + }; + sshPortListen = mkOption { + type = types.port; + default = 2200; + description = '' + port on which the SSH server should listen + ''; + }; + sshKeysPath = mkOption { + type = types.str; + default = "${cfg.tmateHome}/keys"; + description = '' + path where the ssh keys are located (mandatory) + ''; + }; + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + fix me + ''; + }; + tmateHome = mkOption { + type = types.str; + default = "/var/lib/tmate"; + description = '' + tmate service working directory + ''; + }; + }; + + config = mkIf cfg.enable { + networking.firewall = { + allowedTCPPorts = mkIf cfg.openFirewall [ + cfg.sshPortListen + ]; + }; + systemd.services.tmate = { + path = [pkgs.openssh]; + preStart = '' + gen_key() { + keytype=$1 + ks=$keytype"_" + key="${cfg.sshKeysPath}/ssh_host_"$ks"key" + if [ ! -e $key ] ; then + ssh-keygen -t $keytype -f $key -N "" + echo "" + fi + SIG=$(ssh-keygen -l -E SHA256 -f "$key.pub" | cut -d ' ' -f 2) + } + + mkdir -p '${cfg.sshKeysPath}' + gen_key rsa + RSA_SIG=$SIG + gen_key ed25519 + ED25519_SIG=$SIG + + { + echo "set -g tmate-server-host ${cfg.sshHostname}" + echo "set -g tmate-server-port ${toString cfg.sshPortListen}" + echo "set -g tmate-server-rsa-fingerprint $RSA_SIG" + echo "set -g tmate-server-ed25519-fingerprint $ED25519_SIG" + } > '${cfg.tmateHome}/tmate.conf' + echo 'Copy ${cfg.tmateHome}/tmate.conf to ~/.tmate.conf to connect clients to this server' + ''; + wants = ["network-online.target"]; + wantedBy = ["multi-user.target"]; + serviceConfig = { + ExecStart = "${tmate-ssh-server}/bin/tmate-ssh-server -k ${cfg.sshKeysPath} -p ${toString cfg.sshPortListen} -h ${cfg.sshHostname}"; + WorkingDirectory = cfg.tmateHome; + }; + }; + }; +}