Add openssh service

2020-10-26 21:58:30 +01:00 · 2020-10-26 21:58:30 +01:00 · 940e0de695
parent 77dd3a2b96
commit 940e0de695
5 changed files with 160 additions and 0 deletions
--- a/services-agnostic/constructors.nix
+++ b/services-agnostic/constructors.nix
@ -100,6 +100,11 @@ in
    inherit (pkgs) influxdb;
  };

+  sshd = import ./sshd.nix {
+    inherit createManagedProcess stateDir runtimeDir tmpDir forceDisableUserChange;
+    inherit (pkgs) writeTextFile openssh;
+  };
+
  docker = import ./docker.nix {
    inherit createManagedProcess;
    inherit (pkgs) docker kmod;
--- a/services-agnostic/idresources.nix
+++ b/services-agnostic/idresources.nix
@ -56,4 +56,9 @@ rec {
    max = 8096;
    step = 3;
  };
+
+  sshPorts = {
+    min = 1222;
+    max = 1422;
+  };
 }
--- a/services-agnostic/ids.nix
+++ b/services-agnostic/ids.nix
@ -0,0 +1,71 @@
+{
+  "ids" = {
+    "gids" = {
+      "apache" = 2000;
+      "influxdb" = 2001;
+      "mongodb" = 2002;
+      "mysql" = 2003;
+      "postgresql" = 2004;
+      "sshd" = 2005;
+      "tomcat" = 2006;
+    };
+    "httpPorts" = {
+      "apache" = 8080;
+      "tomcat" = 8081;
+    };
+    "httpsPorts" = {
+      "tomcat" = 8443;
+    };
+    "inetHTTPPorts" = {
+      "supervisord" = 9001;
+    };
+    "influxdbPorts" = {
+      "influxdb" = 8086;
+    };
+    "mongodbPorts" = {
+      "mongodb" = 27017;
+    };
+    "mysqlPorts" = {
+      "mysql" = 3306;
+    };
+    "postgresqlPorts" = {
+      "postgresql" = 5432;
+    };
+    "sshPorts" = {
+      "sshd" = 1222;
+    };
+    "svnPorts" = {
+      "svnserve" = 3690;
+    };
+    "tomcatAJPPorts" = {
+      "tomcat" = 8009;
+    };
+    "tomcatServerPorts" = {
+      "tomcat" = 8005;
+    };
+    "uids" = {
+      "apache" = 2000;
+      "influxdb" = 2001;
+      "mongodb" = 2002;
+      "mysql" = 2003;
+      "postgresql" = 2004;
+      "sshd" = 2005;
+      "tomcat" = 2006;
+    };
+  };
+  "lastAssignments" = {
+    "gids" = 2006;
+    "httpPorts" = 8081;
+    "httpsPorts" = 8443;
+    "inetHTTPPorts" = 9001;
+    "influxdbPorts" = 8086;
+    "mongodbPorts" = 27017;
+    "mysqlPorts" = 3306;
+    "postgresqlPorts" = 5432;
+    "sshPorts" = 1222;
+    "svnPorts" = 3690;
+    "tomcatAJPPorts" = 8009;
+    "tomcatServerPorts" = 8005;
+    "uids" = 2006;
+  };
+}
--- a/services-agnostic/processes.nix
+++ b/services-agnostic/processes.nix
@ -104,6 +104,16 @@ rec {
    requiresUniqueIdsFor = [ "influxdbPorts" "uids" "gids" ];
  };

+  sshd = rec {
+    port = ids.sshPorts.sshd or 0;
+
+    pkg = constructors.sshd {
+      inherit port;
+    };
+
+    requiresUniqueIdsFor = [ "sshPorts" "uids" "gids" ];
+  };
+
  docker = {
    pkg = constructors.docker;
  };
--- a/services-agnostic/sshd.nix
+++ b/services-agnostic/sshd.nix
@ -0,0 +1,69 @@
+{createManagedProcess, writeTextFile, openssh, stateDir, runtimeDir, tmpDir, forceDisableUserChange}:
+{instanceSuffix ? "", instanceName ? "sshd${instanceSuffix}", port ? 22, extraSSHDConfig ? ""}:
+
+let
+  sshdStateDir = "${stateDir}/lib/${instanceName}";
+
+  sshdConfig = writeTextFile {
+    name = "sshd_config";
+    text = ''
+      HostKey ${sshdStateDir}/ssh_host_rsa_key
+      HostKey ${sshdStateDir}/ssh_host_ecdsa_key
+      HostKey ${sshdStateDir}/ssh_host_ed25519_key
+
+      PidFile ${if forceDisableUserChange then tmpDir else runtimeDir}/${instanceName}.pid
+      ${extraSSHDConfig}
+    '';
+  };
+
+  group = instanceName;
+  user = instanceName;
+in
+createManagedProcess {
+  name = instanceName;
+  inherit instanceName;
+
+  initialize = ''
+    mkdir -p ${sshdStateDir}
+    mkdir -p /var/empty
+
+    if [ ! -f ${sshdStateDir}/ssh_host_rsa_key ]
+    then
+        ssh-keygen -t rsa -f ${sshdStateDir}/ssh_host_rsa_key -N ""
+    fi
+
+    if [ ! -f ${sshdStateDir}/ssh_host_ecdsa_key ]
+    then
+        ssh-keygen -t ecdsa -f ${sshdStateDir}/ssh_host_ecdsa_key -N ""
+    fi
+
+    if [ ! -f ${sshdStateDir}/ssh_host_ed25519_key ]
+    then
+        ssh-keygen -t ed25519 -f ${sshdStateDir}/ssh_host_ed25519_key -N ""
+    fi
+  '';
+
+  process = "${openssh}/bin/sshd";
+  args = [ "-p" port "-f" sshdConfig ];
+  foregroundProcessExtraArgs = [ "-D" ];
+  path = [ openssh ];
+
+  credentials = {
+    groups = {
+      "${group}" = {};
+    };
+    users = {
+      "${user}" = {
+        inherit group;
+        homeDir = "/var/empty";
+        description = "SSH privilege separation user";
+      };
+    };
+  };
+
+  overrides = {
+    sysvinit = {
+      runlevels = [ 3 4 5 ];
+    };
+  };
+}