krebs/3modules/hidden-ssh.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

{ config, lib, pkgs, ... }:

with import <stockholm/lib>;
let
  cfg = config.krebs.hidden-ssh;

  out = {
    options.krebs.hidden-ssh = api;
    config = lib.mkIf cfg.enable imp;
  };

  api = {
    enable = mkEnableOption "hidden SSH announce";
    channel = mkOption {
      type = types.str;
      default = "#krebs-announce";
    };
    server = mkOption {
      type = types.str;
      default = "irc.freenode.org";
    };
    message = mkOption {
      type = types.str;
      default = "SSH Hidden Service at ";
    };
  };

  imp = let
    torDirectory = "/var/lib/tor"; # from tor.nix
    hiddenServiceDir = torDirectory + "/ssh-announce-service";
  in {
    services.tor = {
      enable = true;
      extraConfig = ''
        HiddenServiceDir ${hiddenServiceDir}
        HiddenServicePort 22 127.0.0.1:22
      '';
      client.enable = true;
    };
    systemd.services.hidden-ssh-announce = {
      description = "irc announce hidden ssh";
      after = [ "tor.service" "network-online.target" ];
      wants = [ "tor.service" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        # ${pkgs.tor}/bin/torify
        ExecStart = pkgs.writeDash "irc-announce-ssh" ''
          set -efu
          until test -e ${hiddenServiceDir}/hostname; do
            echo "still waiting for ${hiddenServiceDir}/hostname"
            sleep 1
          done
          ${pkgs.untilport}/bin/untilport ${cfg.server} 6667 && \
            ${pkgs.irc-announce}/bin/irc-announce \
            ${cfg.server} 6667 ${config.krebs.build.host.name}-ssh \
            \${cfg.channel} \
            "${cfg.message}$(cat ${hiddenServiceDir}/hostname)"
        '';
        PrivateTmp = "true";
        User = "tor";
        Type = "oneshot";
      };
    };
  };
in
out