{ config, lib, pkgs, ... }: with lib; let cfg = config.myOptions.services.ssh; in { options.myOptions.services.ssh = { daemon = mkOption { description = "sshd options"; type = with types; submodule { options = { enable = mkEnableOption "enable sshd"; passwordAuth = mkOption { description = "allow password auth"; default = false; type = bool; }; allowRoot = mkOption { description = "allow root login"; default = false; type = bool; }; }; }; }; agent = mkOption { description = "ssh agent options"; type = with types; submodule { options = { enable = mkEnableOption "enable ssh-agent"; hostAliases = mkOption { description = "host aliases"; type = with types; attrsOf (submodule { options = { hostName = mkOption { description = "hostname to ssh into"; type = types.str; }; user = mkOption { description = "ssh user"; type = types.str; default = "git"; }; identityFile = mkOption { description = "path to the private key"; type = types.path; }; identitiesOnly = mkOption { description = "whether ssh should not use additional identities offered by ssh-agent"; type = types.bool; default = true; }; }; }); }; }; }; }; }; config = mkMerge [ (mkIf cfg.daemon.enable { services.openssh = { enable = true; settings = { PasswordAuthentication = false; PermitRootLogin = "no"; }; }; }) (mkIf cfg.agent.enable { programs.ssh.extraConfig = '' AddKeysToAgent yes ${concatStrings (mapAttrsToList (name: value: '' Host ${name} HostName ${value.hostName} User ${value.user} IdentityFile ${value.identityFile} IdentitiesOnly ${if value.identitiesOnly then "yes" else "no"} '') cfg.agent.hostAliases)} ''; systemd.user.services.ssh-agent = { enable = true; description = "SSH key agent"; serviceConfig = { Type = "simple"; ExecStart = "${pkgs.openssh}/bin/ssh-agent -D -a $SSH_AUTH_SOCK"; }; environment = { SSH_AUTH_SOCK = "%t/ssh-agent.socket"; DISPLAY = ":0"; }; wantedBy = [ "default.target" ]; }; environment.sessionVariables = { SSH_AUTH_SOCK = "\$XDG_RUNTIME_DIR/ssh-agent.socket"; }; }) ]; }