niksos/modules/services/ssh.nix

128 lines
4.6 KiB
Nix

{
config,
lib,
pkgs,
...
}: let
cfg = config.poz.services.ssh;
inherit (lib.meta) getExe';
inherit (lib.modules) mkIf mkMerge;
inherit (lib.options) mkEnableOption mkOption;
inherit (lib.types) attrsOf bool listOf nullOr number port str submodule;
inherit (lib.strings) concatStrings optionalString;
inherit (lib.attrsets) mapAttrsToList;
ksshaskpass = getExe' pkgs.libsForQt5.ksshaskpass "ksshaskpass";
ssh-agent = getExe' pkgs.openssh "ssh-agent";
in {
options.poz.services.ssh = {
daemon = mkOption {
description = "sshd options";
type = submodule {
options = {
enable = mkEnableOption "sshd";
passwordAuth = mkOption {
description = "allow password auth";
default = false;
type = bool;
};
allowRoot = mkOption {
description = "allow root login";
default = false;
type = bool;
};
ports = mkOption {
description = "ssh ports";
type = listOf port;
};
};
};
};
agent = mkOption {
description = "ssh agent options";
type = submodule {
options = {
enable = mkEnableOption "ssh-agent";
hostAliases = mkOption {
description = "host aliases";
type = attrsOf (submodule {
options = {
hostName = mkOption {
description = "hostname to ssh into";
type = str;
};
port = mkOption {
description = "port to ssh into";
type = nullOr number;
default = null;
};
user = mkOption {
description = "ssh user";
type = str;
default = "git";
};
publicKey = mkOption {
description = "public key used for picking the correct key from the ssh-agent";
type = nullOr str;
default = null;
};
};
});
default = {};
};
};
};
};
};
config = mkMerge [
(mkIf cfg.daemon.enable {
services.openssh = {
enable = true;
inherit (cfg.daemon) ports;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "no";
};
};
})
(mkIf cfg.agent.enable {
programs.ssh = {
enableAskPassword = true;
askPassword = ksshaskpass;
extraConfig = ''
AddKeysToAgent yes
${concatStrings (mapAttrsToList (name: value: ''
Host ${name}
HostName ${value.hostName}
User ${value.user}
${optionalString (value.port != null)
"Port ${toString value.port}"}
${optionalString (value.publicKey != null)
"IdentityFile ${pkgs.writeText "${name}.pub" value.publicKey}"}
'') cfg.agent.hostAliases)}
'';
};
systemd.user.services.ssh-agent = {
enable = true;
description = "SSH key agent";
serviceConfig = {
Type = "simple";
ExecStart = "${ssh-agent} -D -a $SSH_AUTH_SOCK";
};
environment = {
SSH_AUTH_SOCK = "%t/ssh-agent.socket";
DISPLAY = ":0";
};
wantedBy = [ "default.target" ];
};
environment.sessionVariables = {
SSH_AUTH_SOCK = "\$XDG_RUNTIME_DIR/ssh-agent.socket";
};
})
];
}