Add sish

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-05-17 18:06:32 +01:00
parent 3c09cf9f69
commit bf82f4b52e
10 changed files with 204 additions and 2 deletions
--- a/hosts/common/configs/system/ssh/default.nix
+++ b/hosts/common/configs/system/ssh/default.nix
@@ -11,6 +11,11 @@
      extraHostNames = [ "karaolidis.com" ];
    };

+    jupiter-sish = {
+      publicKeyFile = ../../../../jupiter/users/storm/configs/console/podman/sish/ssh_host_ed25519_key.pub;
+      extraHostNames = [ "karaolidis.com" ];
+    };
+
    jupiter-vps = {
      publicKeyFile = ../../../../jupiter-vps/secrets/ssh_host_ed25519_key.pub;
      extraHostNames = [ "vps.karaolidis.com" ];
--- a/hosts/jupiter-vps/default.nix
+++ b/hosts/jupiter-vps/default.nix
@@ -13,6 +13,7 @@
    ../common/configs/system/nixpkgs
    ../common/configs/system/podman
    ../common/configs/system/sops
+    ../common/configs/system/ssh
    ../common/configs/system/sshd
    ../common/configs/system/system
    ../common/configs/system/users
--- a/hosts/jupiter/default.nix
+++ b/hosts/jupiter/default.nix
@@ -20,6 +20,7 @@
    ../common/configs/system/podman
    ../common/configs/system/smartmontools
    ../common/configs/system/sops
+    ../common/configs/system/ssh
    ../common/configs/system/sshd
    ../common/configs/system/sudo
    ../common/configs/system/system
--- a/hosts/jupiter/users/storm/configs/console/podman/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/default.nix
@@ -13,6 +13,7 @@ in
    (import ./grafana { inherit user home; })
    (import ./ntfy { inherit user home; })
    (import ./prometheus { inherit user home; })
+    (import ./sish { inherit user home; })
    (import ./traefik { inherit user home; })
    (import ./whoami { inherit user home; })
  ];
--- a/hosts/jupiter/users/storm/configs/console/podman/sish/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/sish/default.nix
@@ -0,0 +1,72 @@
+{
+  user ? throw "user argument is required",
+  home ? throw "home argument is required",
+}:
+{
+  config,
+  inputs,
+  pkgs,
+  system,
+  ...
+}:
+let
+  selfPkgs = inputs.self.packages.${system};
+  hmConfig = config.home-manager.users.${user};
+  inherit (hmConfig.virtualisation.quadlet) networks;
+in
+{
+  networking.firewall.allowedTCPPorts = [ 2222 ];
+
+  home-manager.users.${user} = {
+    sops.secrets."sish/ssh/key".sopsFile = ../../../../../../secrets/secrets.yaml;
+
+    virtualisation.quadlet = {
+      networks.sish.networkConfig.internal = true;
+
+      containers.sish = {
+        containerConfig = {
+          image = "docker-archive:${selfPkgs.docker-sish}";
+          networks = [
+            networks.sish.ref
+            networks.traefik.ref
+          ];
+          volumes =
+            let
+              authorizedKeys = pkgs.writeTextFile {
+                name = "authorized_keys";
+                text = ''
+                  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWDA5vnIB7KE2VG28Ovg5rXtQqxFwMXsfozLsH0BNZS nick@karaolidis.com
+                '';
+              };
+            in
+            [
+              "${hmConfig.sops.secrets."sish/ssh/key".path}:/etc/sish/keys/ssh_key:ro"
+              "${authorizedKeys}:/etc/sish/pubkeys/authorized_keys:ro"
+            ];
+          labels = [
+            "traefik.enable=true"
+            "traefik.http.routers.sish.rule=HostRegexp(`^(.+\.)?tunnel\.karaolidis\.com$`)"
+            "traefik.http.services.sish.loadbalancer.server.port=80"
+          ];
+          publishPorts = [ "2222:2222/tcp" ];
+          exec = [
+            "--ssh-address=0.0.0.0:2222"
+            "--http-address=0.0.0.0:80"
+            "--load-templates=false"
+            "--private-keys-directory=/etc/sish/keys"
+            "--authentication-password=\"\""
+            "--authentication-keys-directory=/etc/sish/pubkeys"
+            "--bind-random-ports=false"
+            "--bind-random-aliases=false"
+            "--bind-random-subdomains=false"
+            "--welcome-message=\"\""
+            "--domain=tunnel.karaolidis.com"
+            "--proxy-ssl-termination=true"
+          ];
+        };
+
+        unitConfig.After = [ "sops-nix.service" ];
+      };
+    };
+  };
+}
--- a/hosts/jupiter/users/storm/configs/console/podman/sish/ssh_host_ed25519_key.pub
+++ b/hosts/jupiter/users/storm/configs/console/podman/sish/ssh_host_ed25519_key.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILbYZvInRgXWVVi7pgP/rrOLPv9l7zH/TkPk7bb98OFp root@jupiter-sish
--- a/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix
@@ -76,9 +76,9 @@ in
              "--entrypoints.https.http.tls=true"
              "--entrypoints.https.http.tls.certResolver=letsencrypt"
              "--entrypoints.https.http.tls.domains[0].main=karaolidis.com"
-              "--entrypoints.https.http.tls.domains[0].sans=*.karaolidis.com"
+              "--entrypoints.https.http.tls.domains[0].sans=*.karaolidis.com,*.tunnel.karaolidis.com,*.gaming.karaolidis.com"
              "--entrypoints.https.http.tls.domains[1].main=krlds.com"
-              "--entrypoints.https.http.tls.domains[1].sans=*.krlds.com"
+              "--entrypoints.https.http.tls.domains[1].sans=*.krlds.com,*.tunnel.krlds.com,*.gaming.krlds.com"
              "--entrypoints.https.http.middlewares=compress@docker"
              "--entryPoints.https.http3"
              "--entrypoints.https.forwardedHeaders.insecure=true"
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILbYZvInRgXWVVi7pgP/rrOLPv9l7zH/TkPk7bb98OFp root@jupiter-sish`