nixos-config/nixos/components/network/sshd/default.nix

{ pkgs, config, lib, ... }:

with lib;
with types;

let
  cfg = config.component.network.sshd;
  defaultRootKeyFiles = [ (toString ../../../assets/ssh/palo_rsa.pub) ];
in
{

  imports = [
    ./known-hosts-bootup.nix
    ./known-hosts-private.nix
    ./known-hosts-public.nix
  ];

  options.component.network.sshd = {
    enable = mkOption {
      type = bool;
      default = true;
      description = "add ssh tools";
    };
    rootKeyFiles = mkOption {
      type = with types; listOf path;
      default = [ ];
      description = "keys to root login";
    };
    tools.enable = mkOption {
      type = bool;
      default = true;
      description = "add ssh tools";
    };
    onlyTincAccess = mkOption {
      type = bool;
      default = false;
      description = ''
        make sure ssh is only available trough the tinc
      '';
    };
  };

  config = mkMerge [

    (mkIf cfg.tools.enable {
      environment.systemPackages = [ pkgs.sshfs ];
    })

    (mkIf cfg.enable {

      services.openssh = {
        enable = true;
        forwardX11 = false;
        passwordAuthentication = false;
      };

      users.users.root.openssh.authorizedKeys.keyFiles =
        cfg.rootKeyFiles ++ defaultRootKeyFiles;

      services.openssh.extraConfig = ''
        Banner /etc/ssh/banner-line
      '';

      environment.etc."ssh/banner-line".text =
        let
          text = config.networking.hostName;
          size = 80 - (lib.stringLength text);
          space = lib.fixedWidthString size " " "";
        in
        ''
          ────────────────────────────────────────────────────────────────────────────────
          ${space}${text}
        '';

    })

    (mkIf (cfg.onlyTincAccess && cfg.enable) {
      networking.firewall.extraCommands = ''
        iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0
      '';
    })
  ];

}
migrate sshd to component.sshd 2022-10-13 10:19:23 +02:00			`{ pkgs, config, lib, ... }:`

			`with lib;`
			`with types;`

			`let`
			`cfg = config.component.network.sshd;`
			`defaultRootKeyFiles = [ (toString ../../../assets/ssh/palo_rsa.pub) ];`
			`in`
			`{`

			`imports = [`
			`./known-hosts-bootup.nix`
			`./known-hosts-private.nix`
			`./known-hosts-public.nix`
			`];`

			`options.component.network.sshd = {`
			`enable = mkOption {`
			`type = bool;`
			`default = true;`
			`description = "add ssh tools";`
			`};`
			`rootKeyFiles = mkOption {`
			`type = with types; listOf path;`
			`default = [ ];`
			`description = "keys to root login";`
			`};`
			`tools.enable = mkOption {`
			`type = bool;`
			`default = true;`
			`description = "add ssh tools";`
			`};`
			`onlyTincAccess = mkOption {`
			`type = bool;`
			`default = false;`
			`description = ''`
			`make sure ssh is only available trough the tinc`
			`'';`
			`};`
			`};`

			`config = mkMerge [`

			`(mkIf cfg.tools.enable {`
			`environment.systemPackages = [ pkgs.sshfs ];`
			`})`

			`(mkIf cfg.enable {`

			`services.openssh = {`
			`enable = true;`
			`forwardX11 = false;`
			`passwordAuthentication = false;`
			`};`

			`users.users.root.openssh.authorizedKeys.keyFiles =`
			`cfg.rootKeyFiles ++ defaultRootKeyFiles;`

			`services.openssh.extraConfig = ''`
			`Banner /etc/ssh/banner-line`
			`'';`

			`environment.etc."ssh/banner-line".text =`
			`let`
			`text = config.networking.hostName;`
			`size = 80 - (lib.stringLength text);`
			`space = lib.fixedWidthString size " " "";`
			`in`
			`''`
			`────────────────────────────────────────────────────────────────────────────────`
			`${space}${text}`
			`'';`

			`})`

			`(mkIf (cfg.onlyTincAccess && cfg.enable) {`
			`networking.firewall.extraCommands = ''`
			`iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0`
			`'';`
			`})`
			`];`

			`}`