niksos/modules/services/ssh.nix

{
    config,
    lib,
    pkgs,
    ...
}: let
    cfg = config.poz.services.ssh;

    inherit (lib.meta) getExe';
    inherit (lib.modules) mkIf mkMerge;
    inherit (lib.options) mkEnableOption mkOption;
    inherit (lib.types) attrsOf bool nullOr number str submodule;
    inherit (lib.strings) concatStrings;
    inherit (lib.attrsets) mapAttrsToList;

    ksshaskpass = getExe' pkgs.libsForQt5.ksshaskpass "ksshaskpass";
    ssh-agent = getExe' pkgs.openssh "ssh-agent";
in {
    options.poz.services.ssh = {
        daemon = mkOption {
            description = "sshd options";
            type = submodule {
                options = {
                    enable = mkEnableOption "sshd";
                    passwordAuth = mkOption {
                        description = "allow password auth";
                        default = false;
                        type = bool;
                    };
                    allowRoot = mkOption {
                        description = "allow root login";
                        default = false;
                        type = bool;
                    };
                };
            };
        };
        agent = mkOption {
            description = "ssh agent options";
            type = submodule {
                options = {
                    enable = mkEnableOption "ssh-agent";
                    hostAliases = mkOption {
                        description = "host aliases";
                        type = attrsOf (submodule {
                            options = {
                                hostName = mkOption {
                                    description = "hostname to ssh into";
                                    type = str;
                                };
                                port = mkOption {
                                    description = "port to ssh into";
                                    type = nullOr number;
                                    default = null;
                                };
                                user = mkOption {
                                    description = "ssh user";
                                    type = str;
                                    default = "git";
                                };
                                publicKey = mkOption {
                                    description = "public key used for picking the correct key from the ssh-agent";
                                    type = nullOr str;
                                    default = null;
                                };
                            };
                        });
                        default = {};
                    };
                };
            };
        };
    };

    config = mkMerge [
        (mkIf cfg.daemon.enable {
            services.openssh = {
                enable = true;
                settings = {
                    PasswordAuthentication = false;
                    PermitRootLogin = "no";
                    LoginGraceTime = 0;
                };
            };
        })
        (mkIf cfg.agent.enable {
            programs.ssh = {
                enableAskPassword = true;
                askPassword = ksshaskpass;
                extraConfig = ''
                    AddKeysToAgent yes

                    ${concatStrings (mapAttrsToList (name: value: ''
                        Host ${name}
                            HostName        ${value.hostName}
                            User            ${value.user}
                            ${
                                if value.port != null then
                                    "Port            ${toString value.port}"
                                    else ""
                            }
                            ${
                                if value.publicKey != null then
                                    "IdentityFile    ${pkgs.writeText "${name}.pub" value.publicKey}"
                                    else ""
                            }
                    '') cfg.agent.hostAliases)}
                '';
            };

            systemd.user.services.ssh-agent = {
                enable = true;
                description = "SSH key agent";
                serviceConfig = {
                    Type = "simple";
                    ExecStart = "${ssh-agent} -D -a $SSH_AUTH_SOCK";
                };
                environment = {
                    SSH_AUTH_SOCK = "%t/ssh-agent.socket";
                    DISPLAY = ":0";
                };
                wantedBy = [ "default.target" ];
            };

            environment.sessionVariables = {
                SSH_AUTH_SOCK = "\$XDG_RUNTIME_DIR/ssh-agent.socket";
            };
        })
    ];
}
feat: massive 2023-10-13 21:04:24 +02:00			`{`
			`config,`
			`lib,`
			`pkgs,`
			`...`
get rid of `with lib;` treewide 2024-05-05 12:38:40 +02:00			`}: let`
initial hape test 2024-07-15 23:18:25 +02:00			`cfg = config.poz.services.ssh;`
get rid of `with lib;` treewide 2024-05-05 12:38:40 +02:00
major cleanup in inherits 2024-07-24 18:47:53 +02:00			`inherit (lib.meta) getExe';`
fix lib.options inherits xd 2024-07-25 11:45:44 +02:00			`inherit (lib.modules) mkIf mkMerge;`
			`inherit (lib.options) mkEnableOption mkOption;`
get rid of `with lib;` treewide 2024-05-05 12:38:40 +02:00			`inherit (lib.types) attrsOf bool nullOr number str submodule;`
			`inherit (lib.strings) concatStrings;`
			`inherit (lib.attrsets) mapAttrsToList;`
switch to getExe and getExe' throughout the config 2024-07-05 00:41:59 +02:00
			`ksshaskpass = getExe' pkgs.libsForQt5.ksshaskpass "ksshaskpass";`
			`ssh-agent = getExe' pkgs.openssh "ssh-agent";`
feat: massive 2023-10-13 21:04:24 +02:00			`in {`
initial hape test 2024-07-15 23:18:25 +02:00			`options.poz.services.ssh = {`
feat: massive 2023-10-13 21:04:24 +02:00			`daemon = mkOption {`
			`description = "sshd options";`
get rid of `with lib;` treewide 2024-05-05 12:38:40 +02:00			`type = submodule {`
feat: massive 2023-10-13 21:04:24 +02:00			`options = {`
thanks raf (also fuck you raf) 2024-04-05 22:59:32 +02:00			`enable = mkEnableOption "sshd";`
feat: massive 2023-10-13 21:04:24 +02:00			`passwordAuth = mkOption {`
			`description = "allow password auth";`
			`default = false;`
			`type = bool;`
			`};`
			`allowRoot = mkOption {`
			`description = "allow root login";`
			`default = false;`
			`type = bool;`
			`};`
			`};`
			`};`
			`};`
			`agent = mkOption {`
			`description = "ssh agent options";`
get rid of `with lib;` treewide 2024-05-05 12:38:40 +02:00			`type = submodule {`
feat: massive 2023-10-13 21:04:24 +02:00			`options = {`
thanks raf (also fuck you raf) 2024-04-05 22:59:32 +02:00			`enable = mkEnableOption "ssh-agent";`
feat: massive 2023-10-13 21:04:24 +02:00			`hostAliases = mkOption {`
			`description = "host aliases";`
get rid of `with lib;` treewide 2024-05-05 12:38:40 +02:00			`type = attrsOf (submodule {`
feat: massive 2023-10-13 21:04:24 +02:00			`options = {`
			`hostName = mkOption {`
			`description = "hostname to ssh into";`
get rid of `with lib;` treewide 2024-05-05 12:38:40 +02:00			`type = str;`
feat: massive 2023-10-13 21:04:24 +02:00			`};`
add port to ssh module 2024-02-05 22:24:04 +01:00			`port = mkOption {`
			`description = "port to ssh into";`
get rid of `with lib;` treewide 2024-05-05 12:38:40 +02:00			`type = nullOr number;`
add port to ssh module 2024-02-05 22:24:04 +01:00			`default = null;`
			`};`
feat: massive 2023-10-13 21:04:24 +02:00			`user = mkOption {`
			`description = "ssh user";`
get rid of `with lib;` treewide 2024-05-05 12:38:40 +02:00			`type = str;`
feat: massive 2023-10-13 21:04:24 +02:00			`default = "git";`
			`};`
rework the ssh module to use the publicKey directly 2024-03-06 12:11:58 +01:00			`publicKey = mkOption {`
			`description = "public key used for picking the correct key from the ssh-agent";`
get rid of `with lib;` treewide 2024-05-05 12:38:40 +02:00			`type = nullOr str;`
ssh-agent (this shit is crazy read the whole commit message) so first when I wanted to configure ssh to use the correct keys by default I found some guide that used IdentitiesOnly yes so I used it too without even knowing what it does then later when I wanted to nix my ssh config I noticed that it's set to true and didn't know what it does so I read the manpage I wrote the description of the `indentitiesOnly` option of my wrapper module based on that but I didn't really understand what it actually does well, as you can see in the commit history, a day or two ago (forgot) I started using an ssh key to sign my commits and to make things even more convenient I moved all of my private ssh keys to my keepassxc database as attachments I tested it on my main laptop and everything worked fine but on that laptop all the keys were still in ~/.ssh as I didn't just want to immediately delete them and risk losing any well that's what hid this bug - on the main laptop when pushing, it just used the keys in ~/.ssh, which I don't have on this laptop (the one I take to classes) because, well, I did this not to have to copy both the keepassxc database and ~/.ssh between machines - I only copied the keepassxc database as it had all the keys in it well turns out with the config before this commit, it would only try to use keys in ~/.ssh which aren't - and won't - be here so it failed this option makes it actually use keys supplied by ssh-agent, which keepassxc acts as and is the only way to get them in the current setup 2024-03-05 17:36:26 +01:00			`default = null;`
feat: massive 2023-10-13 21:04:24 +02:00			`};`
			`};`
			`});`
use pubkeys in ssh modules and make hostAliases {} by default 2024-03-06 12:03:08 +01:00			`default = {};`
feat: massive 2023-10-13 21:04:24 +02:00			`};`
			`};`
			`};`
			`};`
			`};`

			`config = mkMerge [`
			`(mkIf cfg.daemon.enable {`
			`services.openssh = {`
			`enable = true;`
			`settings = {`
			`PasswordAuthentication = false;`
			`PermitRootLogin = "no";`
workaround for the cve https://github.com/NixOS/nixpkgs/pull/323753#issuecomment-2199762128 2024-07-01 13:21:26 +02:00			`LoginGraceTime = 0;`
feat: massive 2023-10-13 21:04:24 +02:00			`};`
			`};`
			`})`
			`(mkIf cfg.agent.enable {`
sign test #6 2024-03-03 02:25:43 +01:00			`programs.ssh = {`
			`enableAskPassword = true;`
switch to getExe and getExe' throughout the config 2024-07-05 00:41:59 +02:00			`askPassword = ksshaskpass;`
sign test #6 2024-03-03 02:25:43 +01:00			`extraConfig = ''`
			`AddKeysToAgent yes`
feat: massive 2023-10-13 21:04:24 +02:00
sign test #6 2024-03-03 02:25:43 +01:00			`${concatStrings (mapAttrsToList (name: value: ''`
			`Host ${name}`
			`HostName ${value.hostName}`
			`User ${value.user}`
rework the ssh module to use the publicKey directly 2024-03-06 12:11:58 +01:00			`${`
			`if value.port != null then`
			`"Port ${toString value.port}"`
			`else ""`
			`}`
			`${`
			`if value.publicKey != null then`
oops lol !!!! #2 2024-03-06 12:21:02 +01:00			`"IdentityFile ${pkgs.writeText "${name}.pub" value.publicKey}"`
rework the ssh module to use the publicKey directly 2024-03-06 12:11:58 +01:00			`else ""`
			`}`
sign test #6 2024-03-03 02:25:43 +01:00			`'') cfg.agent.hostAliases)}`
			`'';`
			`};`
feat: massive 2023-10-13 21:04:24 +02:00
			`systemd.user.services.ssh-agent = {`
			`enable = true;`
			`description = "SSH key agent";`
			`serviceConfig = {`
			`Type = "simple";`
switch to getExe and getExe' throughout the config 2024-07-05 00:41:59 +02:00			`ExecStart = "${ssh-agent} -D -a $SSH_AUTH_SOCK";`
feat: massive 2023-10-13 21:04:24 +02:00			`};`
			`environment = {`
			`SSH_AUTH_SOCK = "%t/ssh-agent.socket";`
			`DISPLAY = ":0";`
			`};`
			`wantedBy = [ "default.target" ];`
			`};`

fix: pipewire module and other minor fixes 2023-10-13 23:18:35 +02:00			`environment.sessionVariables = {`
			`SSH_AUTH_SOCK = "\$XDG_RUNTIME_DIR/ssh-agent.socket";`
			`};`
feat: massive 2023-10-13 21:04:24 +02:00			`})`
			`];`
			`}`