refactor

modules/nixos/services/openssh/default.nix

@@ -0,0 +1,109 @@
+{ options
+, config
+, pkgs
+, lib
+, host ? ""
+, format ? ""
+, inputs ? { }
+, ...
+}:
+with lib;
+with lib.plusultra; let
+  cfg = config.plusultra.services.openssh;
+
+  user = config.users.users.${config.plusultra.user.name};
+  user-id = builtins.toString user.uid;
+
+  # TODO: This is a hold-over from an earlier Snowfall Lib version which used
+  # the specialArg `name` to provide the host name.
+  name = host;
+
+  default-key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwaaCUq3Ooq1BaHbg5IwVxWj/xmNJY2dDthHKPZefrHXv/ksM/IREgm38J0CdoMpVS0Zp1C/vFrwGfaYZ2lCF5hBVdV3gf+mvj8Yb8Xpm6aM4L5ig+oBMp/3cz1+g/I4aLMJfCKCtdD6Q2o4vtkTpid6X+kL3UGZbX0HFn3pxoDinzOXQnVGSGw+pQhLASvQeVXWTJjVfIWhj9L2NRJau42cBRRlAH9kE3HUbcgLgyPUZ28aGXLLmiQ6CUjiIlce5ee16WNLHQHOzVfPJfF1e1F0HwGMMBe39ey3IEQz6ab1YqlIzjRx9fQ9hQK6Du+Duupby8JmBlbUAxhh8KJFCJB2cXW/K5Et4R8GHMS6MyIoKQwFUXGyrszVfiuNTGZIkPAYx9zlCq9M/J+x1xUZLHymL85WLPyxhlhN4ysM9ILYiyiJ3gYrPIn5FIZrW7MCQX4h8k0bEjWUwH5kF3dZpEvIT2ssyIu12fGzXkYaNQcJEb5D9gT1mNyi2dxQ62NPZ5orfYyIZ7fn22d1P/jegG+7LQeXPiy5NLE6b7MP5Rq2dL8Y9Oi8pOBtoY9BpLh7saSBbNFXTBtH/8OfAQacxDsZD/zTFtCzZjtTK6yiAaXCZTvMIOuoYGZvEk6zWXrjVsU8FlqF+4JOTfePqr/SSUXNJyKnrvQJ1BfHQiYsrckw==";
+
+  other-hosts =
+    lib.filterAttrs
+      (key: host:
+        key != name && (host.config.plusultra.user.name or null) != null)
+      ((inputs.self.nixosConfigurations or { }) // (inputs.self.darwinConfigurations or { }));
+
+  other-hosts-config =
+    lib.concatMapStringsSep
+      "\n"
+      (
+        name:
+        let
+          remote = other-hosts.${name};
+          remote-user-name = remote.config.plusultra.user.name;
+          remote-user-id = builtins.toString remote.config.users.users.${remote-user-name}.uid;
+
+          forward-gpg =
+            optionalString (config.programs.gnupg.agent.enable && remote.config.programs.gnupg.agent.enable)
+              ''
+                RemoteForward /run/user/${remote-user-id}/gnupg/S.gpg-agent /run/user/${user-id}/gnupg/S.gpg-agent.extra
+                RemoteForward /run/user/${remote-user-id}/gnupg/S.gpg-agent.ssh /run/user/${user-id}/gnupg/S.gpg-agent.ssh
+              '';
+        in
+        ''
+          Host ${name}
+            User ${remote-user-name}
+            ForwardAgent yes
+            Port ${builtins.toString cfg.port}
+            ${forward-gpg}
+        ''
+      )
+      (builtins.attrNames other-hosts);
+in
+{
+  options.plusultra.services.openssh = with types; {
+    enable = mkBoolOpt false "Whether or not to configure OpenSSH support.";
+    authorizedKeys =
+      mkOpt (listOf str) [ default-key ] "The public keys to apply.";
+    port = mkOpt port 2222 "The port to listen on (in addition to 22).";
+    manage-other-hosts = mkOpt bool true "Whether or not to add other host configurations to SSH config.";
+  };
+
+  config = mkIf cfg.enable {
+    services.openssh = {
+      enable = true;
+
+      settings = {
+        PermitRootLogin =
+          if format == "install-iso"
+          then "yes"
+          else "no";
+        PasswordAuthentication = false;
+      };
+
+      extraConfig = ''
+        StreamLocalBindUnlink yes
+      '';
+
+      ports = [
+        22
+        cfg.port
+      ];
+    };
+
+    programs.ssh.extraConfig = ''
+      Host *
+        HostKeyAlgorithms +ssh-rsa
+
+      ${optionalString cfg.manage-other-hosts other-hosts-config}
+    '';
+
+    plusultra.user.extraOptions.openssh.authorizedKeys.keys =
+      cfg.authorizedKeys;
+
+    plusultra.home.extraOptions = {
+      programs.zsh.shellAliases =
+        foldl
+          (aliases: system:
+            aliases
+            // {
+              "ssh-${system}" = "ssh ${system} -t tmux a";
+            })
+          { }
+          (builtins.attrNames other-hosts);
+    };
+  };
+}