110 lines
3.6 KiB
Nix
110 lines
3.6 KiB
Nix
|
{ options
|
||
|
, config
|
||
|
, pkgs
|
||
|
, lib
|
||
|
, host ? ""
|
||
|
, format ? ""
|
||
|
, inputs ? { }
|
||
|
, ...
|
||
|
}:
|
||
|
with lib;
|
||
|
with lib.plusultra; let
|
||
|
cfg = config.plusultra.services.openssh;
|
||
|
|
||
|
user = config.users.users.${config.plusultra.user.name};
|
||
|
user-id = builtins.toString user.uid;
|
||
|
|
||
|
# TODO: This is a hold-over from an earlier Snowfall Lib version which used
|
||
|
# the specialArg `name` to provide the host name.
|
||
|
name = host;
|
||
|
|
||
|
default-key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwaaCUq3Ooq1BaHbg5IwVxWj/xmNJY2dDthHKPZefrHXv/ksM/IREgm38J0CdoMpVS0Zp1C/vFrwGfaYZ2lCF5hBVdV3gf+mvj8Yb8Xpm6aM4L5ig+oBMp/3cz1+g/I4aLMJfCKCtdD6Q2o4vtkTpid6X+kL3UGZbX0HFn3pxoDinzOXQnVGSGw+pQhLASvQeVXWTJjVfIWhj9L2NRJau42cBRRlAH9kE3HUbcgLgyPUZ28aGXLLmiQ6CUjiIlce5ee16WNLHQHOzVfPJfF1e1F0HwGMMBe39ey3IEQz6ab1YqlIzjRx9fQ9hQK6Du+Duupby8JmBlbUAxhh8KJFCJB2cXW/K5Et4R8GHMS6MyIoKQwFUXGyrszVfiuNTGZIkPAYx9zlCq9M/J+x1xUZLHymL85WLPyxhlhN4ysM9ILYiyiJ3gYrPIn5FIZrW7MCQX4h8k0bEjWUwH5kF3dZpEvIT2ssyIu12fGzXkYaNQcJEb5D9gT1mNyi2dxQ62NPZ5orfYyIZ7fn22d1P/jegG+7LQeXPiy5NLE6b7MP5Rq2dL8Y9Oi8pOBtoY9BpLh7saSBbNFXTBtH/8OfAQacxDsZD/zTFtCzZjtTK6yiAaXCZTvMIOuoYGZvEk6zWXrjVsU8FlqF+4JOTfePqr/SSUXNJyKnrvQJ1BfHQiYsrckw==";
|
||
|
|
||
|
other-hosts =
|
||
|
lib.filterAttrs
|
||
|
(key: host:
|
||
|
key != name && (host.config.plusultra.user.name or null) != null)
|
||
|
((inputs.self.nixosConfigurations or { }) // (inputs.self.darwinConfigurations or { }));
|
||
|
|
||
|
other-hosts-config =
|
||
|
lib.concatMapStringsSep
|
||
|
"\n"
|
||
|
(
|
||
|
name:
|
||
|
let
|
||
|
remote = other-hosts.${name};
|
||
|
remote-user-name = remote.config.plusultra.user.name;
|
||
|
remote-user-id = builtins.toString remote.config.users.users.${remote-user-name}.uid;
|
||
|
|
||
|
forward-gpg =
|
||
|
optionalString (config.programs.gnupg.agent.enable && remote.config.programs.gnupg.agent.enable)
|
||
|
''
|
||
|
RemoteForward /run/user/${remote-user-id}/gnupg/S.gpg-agent /run/user/${user-id}/gnupg/S.gpg-agent.extra
|
||
|
RemoteForward /run/user/${remote-user-id}/gnupg/S.gpg-agent.ssh /run/user/${user-id}/gnupg/S.gpg-agent.ssh
|
||
|
'';
|
||
|
in
|
||
|
''
|
||
|
Host ${name}
|
||
|
User ${remote-user-name}
|
||
|
ForwardAgent yes
|
||
|
Port ${builtins.toString cfg.port}
|
||
|
${forward-gpg}
|
||
|
''
|
||
|
)
|
||
|
(builtins.attrNames other-hosts);
|
||
|
in
|
||
|
{
|
||
|
options.plusultra.services.openssh = with types; {
|
||
|
enable = mkBoolOpt false "Whether or not to configure OpenSSH support.";
|
||
|
authorizedKeys =
|
||
|
mkOpt (listOf str) [ default-key ] "The public keys to apply.";
|
||
|
port = mkOpt port 2222 "The port to listen on (in addition to 22).";
|
||
|
manage-other-hosts = mkOpt bool true "Whether or not to add other host configurations to SSH config.";
|
||
|
};
|
||
|
|
||
|
config = mkIf cfg.enable {
|
||
|
services.openssh = {
|
||
|
enable = true;
|
||
|
|
||
|
settings = {
|
||
|
PermitRootLogin =
|
||
|
if format == "install-iso"
|
||
|
then "yes"
|
||
|
else "no";
|
||
|
PasswordAuthentication = false;
|
||
|
};
|
||
|
|
||
|
extraConfig = ''
|
||
|
StreamLocalBindUnlink yes
|
||
|
'';
|
||
|
|
||
|
ports = [
|
||
|
22
|
||
|
cfg.port
|
||
|
];
|
||
|
};
|
||
|
|
||
|
programs.ssh.extraConfig = ''
|
||
|
Host *
|
||
|
HostKeyAlgorithms +ssh-rsa
|
||
|
|
||
|
${optionalString cfg.manage-other-hosts other-hosts-config}
|
||
|
'';
|
||
|
|
||
|
plusultra.user.extraOptions.openssh.authorizedKeys.keys =
|
||
|
cfg.authorizedKeys;
|
||
|
|
||
|
plusultra.home.extraOptions = {
|
||
|
programs.zsh.shellAliases =
|
||
|
foldl
|
||
|
(aliases: system:
|
||
|
aliases
|
||
|
// {
|
||
|
"ssh-${system}" = "ssh ${system} -t tmux a";
|
||
|
})
|
||
|
{ }
|
||
|
(builtins.attrNames other-hosts);
|
||
|
};
|
||
|
};
|
||
|
}
|