nixos-config/nixos/components/network/sshd/default.nix

{ pkgs, config, lib, ... }:
with lib;
with types;
let
  defaultRootKeyFiles = [ (toString ../../../assets/ssh/palo_rsa.pub) ];
  cfg = config.components.network.sshd;

# maybe ascii-image-converter is also nice here
  sshBanner = pkgs.runCommand "ssh-banner"
    {
      nativeBuildInputs = [
        (pkgs.boxes.overrideAttrs (old: rec {
          version = "2.3.0";
          src = pkgs.fetchFromGitHub {
            owner = "ascii-boxes";
            repo = "boxes";
            rev = "v${version}";
            sha256 = "sha256-/gc/5vDflmEwOtQbtLwRcchyr22rLQcWqs5GrwRxY70=";
          };
          nativeBuildInputs = old.nativeBuildInputs ++ [
            pkgs.libunistring
            pkgs.pcre2
            pkgs.ncurses
          ];
          installPhase = ''
            install -Dm755 -t $out/bin out/boxes
            install -Dm644 -t $out/share/boxes boxes-config
            install -Dm644 -t $out/share/man/man1 doc/boxes.1
          '';
        }))
      ];
    } ''
    echo "${config.networking.hostName}" | boxes -d ansi -s 80x1 -a r > $out
  '';


in
{

  imports = [
    ./known-hosts-bootup.nix
    ./known-hosts-public.nix
  ];

  options.components.network.sshd = {
    enable = mkOption {
      type = bool;
      default = true;
    };
    rootKeyFiles = mkOption {
      type = with types; listOf path;
      default = [ ];
      description = "keys to root login";
    };
    sshguard.enable = mkOption {
      type = bool;
      default = config.components.network.sshd.enable;
    };
    onlyTincAccess = mkOption {
      type = bool;
      default = false;
      description = ''
        make sure ssh is only available trough the tinc
      '';
    };
  };

  config = mkMerge [

    (mkIf cfg.enable {

      environment.systemPackages = [
        pkgs.sshfs
        pkgs.mosh
      ];

      services.openssh = {
        enable = true;
        settings.X11Forwarding = false;
        settings.PasswordAuthentication = false;
      };

      users.users.root.openssh.authorizedKeys.keyFiles = cfg.rootKeyFiles ++ defaultRootKeyFiles;

      services.openssh.banner = builtins.readFile sshBanner;

    })

    (mkIf cfg.sshguard.enable {
      environment.systemPackages = [ pkgs.ipset ];
      services.sshguard.enable = lib.mkDefault true;
    } )

    (mkIf (cfg.onlyTincAccess && cfg.enable) {
      networking.firewall.extraCommands = ''
        iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0
      '';
    })
  ];

}