{ pkgs, config, lib, ... }: with lib; with types; let defaultRootKeyFiles = [ (toString ../../../assets/ssh/palo_rsa.pub) ]; cfg = config.components.network.sshd; # maybe ascii-image-converter is also nice here sshBanner = pkgs.runCommand "ssh-banner" { nativeBuildInputs = [ (pkgs.boxes.overrideAttrs (old: rec { version = "2.3.0"; src = pkgs.fetchFromGitHub { owner = "ascii-boxes"; repo = "boxes"; rev = "v${version}"; sha256 = "sha256-/gc/5vDflmEwOtQbtLwRcchyr22rLQcWqs5GrwRxY70="; }; nativeBuildInputs = old.nativeBuildInputs ++ [ pkgs.libunistring pkgs.pcre2 pkgs.ncurses ]; installPhase = '' install -Dm755 -t $out/bin out/boxes install -Dm644 -t $out/share/boxes boxes-config install -Dm644 -t $out/share/man/man1 doc/boxes.1 ''; })) ]; } '' echo "${config.networking.hostName}" | boxes -d ansi -s 80x1 -a r > $out ''; in { imports = [ ./known-hosts-bootup.nix ./known-hosts-public.nix ]; options.components.network.sshd = { enable = mkOption { type = bool; default = true; }; rootKeyFiles = mkOption { type = with types; listOf path; default = [ ]; description = "keys to root login"; }; sshguard.enable = mkOption { type = bool; default = config.components.network.sshd.enable; }; onlyTincAccess = mkOption { type = bool; default = false; description = '' make sure ssh is only available trough the tinc ''; }; }; config = mkMerge [ (mkIf cfg.enable { environment.systemPackages = [ pkgs.sshfs pkgs.mosh ]; services.openssh = { enable = true; settings.X11Forwarding = false; settings.PasswordAuthentication = false; }; users.users.root.openssh.authorizedKeys.keyFiles = cfg.rootKeyFiles ++ defaultRootKeyFiles; services.openssh.banner = builtins.readFile sshBanner; }) (mkIf cfg.sshguard.enable { environment.systemPackages = [ pkgs.ipset ]; services.sshguard.enable = lib.mkDefault true; }) (mkIf (cfg.onlyTincAccess && cfg.enable) { networking.firewall.extraCommands = '' iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0 ''; }) ]; }