nixos-config/nixos/profiles/services/openssh/default.nix

# Portions of this file are sourced from
# https://github.com/linyinfeng/dotfiles/blob/b618b0fd16fb9c79ab7199ed51c4c0f98a392cea/nixos/profiles/services/openssh/default.nix
{
  config,
  lib,
  data,
  ...
}:
with lib;
let
  aliveInterval = "15";
  aliveCountMax = "4";
  knownHosts = listToAttrs (
    flatten (
      mapAttrsToList (host: hostData: [
        (nameValuePair "${host}-ed25519" {
          hostNames = [
            "${host}.rebmit.link"
            "${host}.enta.rebmit.link"
          ];
          publicKey = hostData.ssh_host_ed25519_key_pub;
        })
        (nameValuePair "${host}-rsa" {
          hostNames = [
            "${host}.rebmit.link"
            "${host}.enta.rebmit.link"
          ];
          publicKey = hostData.ssh_host_rsa_key_pub;
        })
      ]) data.hosts
    )
  );
in
{
  services.openssh = {
    enable = true;
    ports = [ config.networking.ports.ssh ];
    openFirewall = true;
    settings = {
      PermitRootLogin = "prohibit-password";
      PasswordAuthentication = false;
    };
    extraConfig = ''
      ClientAliveInterval ${aliveInterval}
      ClientAliveCountMax ${aliveCountMax}
    '';
    hostKeys = [
      {
        bits = 4096;
        inherit (config.sops.secrets."ssh_host_rsa_key") path;
        type = "rsa";
      }
      {
        inherit (config.sops.secrets."ssh_host_ed25519_key") path;
        type = "ed25519";
      }
    ];
  };

  programs.ssh = {
    startAgent = true;
    knownHosts = knownHosts;
    extraConfig =
      ''
        ServerAliveInterval ${aliveInterval}
        ServerAliveCountMax ${aliveCountMax}
      ''
      + concatMapStringsSep "\n" (h: ''
        Host ${h}
          Hostname ${h}.rebmit.link
          Port ${toString config.networking.ports.ssh}
        Host ${h}.enta
          Hostname ${h}.enta.rebmit.link
          Port ${toString config.networking.ports.ssh}
      '') (attrNames data.hosts);
  };

  sops.secrets."ssh_host_rsa_key" = {
    opentofu = {
      enable = true;
      useHostOutput = true;
    };
    restartUnits = [ "sshd.service" ];
  };

  sops.secrets."ssh_host_ed25519_key" = {
    opentofu = {
      enable = true;
      useHostOutput = true;
    };
    restartUnits = [ "sshd.service" ];
  };
}
treewide: init flakes 2024-11-28 01:14:34 +08:00			`# Portions of this file are sourced from`
			`# https://github.com/linyinfeng/dotfiles/blob/b618b0fd16fb9c79ab7199ed51c4c0f98a392cea/nixos/profiles/services/openssh/default.nix`
			`{`
			`config,`
			`lib,`
			`data,`
			`...`
			`}:`
			`with lib;`
			`let`
			`aliveInterval = "15";`
			`aliveCountMax = "4";`
			`knownHosts = listToAttrs (`
			`flatten (`
			`mapAttrsToList (host: hostData: [`
			`(nameValuePair "${host}-ed25519" {`
			`hostNames = [`
			`"${host}.rebmit.link"`
			`"${host}.enta.rebmit.link"`
			`];`
			`publicKey = hostData.ssh_host_ed25519_key_pub;`
			`})`
			`(nameValuePair "${host}-rsa" {`
			`hostNames = [`
			`"${host}.rebmit.link"`
			`"${host}.enta.rebmit.link"`
			`];`
			`publicKey = hostData.ssh_host_rsa_key_pub;`
			`})`
			`]) data.hosts`
			`)`
			`);`
			`in`
			`{`
			`services.openssh = {`
			`enable = true;`
			`ports = [ config.networking.ports.ssh ];`
			`openFirewall = true;`
			`settings = {`
			`PermitRootLogin = "prohibit-password";`
			`PasswordAuthentication = false;`
			`};`
			`extraConfig = ''`
			`ClientAliveInterval ${aliveInterval}`
			`ClientAliveCountMax ${aliveCountMax}`
			`'';`
			`hostKeys = [`
			`{`
			`bits = 4096;`
			`inherit (config.sops.secrets."ssh_host_rsa_key") path;`
			`type = "rsa";`
			`}`
			`{`
			`inherit (config.sops.secrets."ssh_host_ed25519_key") path;`
			`type = "ed25519";`
			`}`
			`];`
			`};`

			`programs.ssh = {`
			`startAgent = true;`
			`knownHosts = knownHosts;`
			`extraConfig =`
			`''`
			`ServerAliveInterval ${aliveInterval}`
			`ServerAliveCountMax ${aliveCountMax}`
			`''`
			`+ concatMapStringsSep "\n" (h: ''`
			`Host ${h}`
			`Hostname ${h}.rebmit.link`
			`Port ${toString config.networking.ports.ssh}`
			`Host ${h}.enta`
			`Hostname ${h}.enta.rebmit.link`
			`Port ${toString config.networking.ports.ssh}`
			`'') (attrNames data.hosts);`
			`};`

			`sops.secrets."ssh_host_rsa_key" = {`
			`opentofu = {`
			`enable = true;`
			`useHostOutput = true;`
			`};`
			`restartUnits = [ "sshd.service" ];`
			`};`

			`sops.secrets."ssh_host_ed25519_key" = {`
			`opentofu = {`
			`enable = true;`
			`useHostOutput = true;`
			`};`
			`restartUnits = [ "sshd.service" ];`
			`};`
			`}`