From 08bed15cf8dc273c1dead2ad79da1e4848fdf66f Mon Sep 17 00:00:00 2001 From: Daniel Barlow Date: Sat, 4 Mar 2023 00:39:54 +0000 Subject: [PATCH] ssh service - dropbear - generate host keys on first use - mount /dev/pts It's not ideal having the host key disappear when the device is reboot, but without persistent storage the alternative is generating it at build time. Deferring this problem to another time --- modules/s6/scripts/rc.init | 3 +++ overlay.nix | 9 +++++++++ rotuer.nix | 12 ++++++++++++ 3 files changed, 24 insertions(+) diff --git a/modules/s6/scripts/rc.init b/modules/s6/scripts/rc.init index 7a23881..162d1d9 100755 --- a/modules/s6/scripts/rc.init +++ b/modules/s6/scripts/rc.init @@ -17,6 +17,9 @@ shift mount -t proc none /proc mount -t sysfs none /sys +# s6-linux-init mounts /dev before this script is called +mkdir /dev/pts +mount -t devpts none /dev/pts mkdir -m 0750 /run/service-state chgrp system /run/service-state diff --git a/overlay.nix b/overlay.nix index a0662c8..4f40b0f 100644 --- a/overlay.nix +++ b/overlay.nix @@ -15,6 +15,15 @@ extraPkgs // { nettle = null; }; + dropbear = prev.dropbear.overrideAttrs (o: { + postPatch = '' + (echo '#define DSS_PRIV_FILENAME "/run/dropbear/dropbear_dss_host_key"' + echo '#define RSA_PRIV_FILENAME "/run/dropbear/dropbear_rsa_host_key"' + echo '#define ECDSA_PRIV_FILENAME "/run/dropbear/dropbear_ecdsa_host_key"' + echo '#define ED25519_PRIV_FILENAME "/run/dropbear/dropbear_ed25519_host_key"') > localoptions.h + ''; + }); + pppBuild = prev.ppp; ppp = (prev.ppp.override { diff --git a/rotuer.nix b/rotuer.nix index 9be278b..25c3972 100644 --- a/rotuer.nix +++ b/rotuer.nix @@ -18,6 +18,7 @@ let route; inherit (pkgs.liminix.services) oneshot longrun bundle target; inherit (pkgs) + dropbear ifwait serviceFns; in rec { @@ -146,11 +147,21 @@ in rec { ]; }; + services.sshd = longrun { + name = "sshd"; + run = '' + mkdir -p /run/dropbear + ${dropbear}/bin/dropbear -E -P /run/dropbear.pid -R -F + ''; + }; + users.dnsmasq = { uid = 51; gid= 51; gecos = "DNS/DHCP service user"; dir = "/run/dnsmasq"; shell = "/bin/false"; }; + users.root.passwd = lib.mkForce secrets.root_password; + groups.dnsmasq = { gid = 51; usernames = ["dnsmasq"]; }; @@ -220,6 +231,7 @@ in rec { packet_forwarding dns resolvconf + sshd ]; }; defaultProfile.packages = with pkgs; [ nftables strace tcpdump ] ;