default.nix (1773B)
1 { 2 lib, 3 options, 4 config, 5 pkgs, 6 ... 7 }: 8 { 9 options.modules.openssh = { 10 agent = { 11 enable = lib.mkOption { 12 description = "Whether to enable the OpenSSH agent."; 13 default = false; 14 type = lib.types.bool; 15 }; 16 }; 17 listen = { 18 enable = lib.mkOption { 19 description = '' 20 Where to listen for SSH connection requests at the given port. 21 ''; 22 default = false; 23 type = lib.types.bool; 24 }; 25 port = lib.mkOption { 26 description = '' 27 The port which listens for the SSH connection requests. 28 ''; 29 type = lib.types.uniq lib.types.int; 30 }; 31 authorizedKeyFiles = lib.mkOption { 32 description = '' 33 For each user, a list of public SSH key files that are authorized to 34 connect. 35 ''; 36 type = lib.types.listOf lib.types.path |> lib.types.attrsOf; 37 }; 38 }; 39 }; 40 41 config = 42 let 43 inherit (config.modules.openssh) 44 agent 45 listen 46 ; 47 in 48 { 49 programs.ssh = lib.mkIf agent.enable { 50 startAgent = true; 51 package = pkgs.openssh; 52 }; 53 54 services.openssh = lib.mkIf listen.enable { 55 enable = true; 56 ports = [ 57 listen.port 58 ]; 59 settings = { 60 PasswordAuthentication = false; 61 }; 62 }; 63 64 networking.firewall.allowedTCPPorts = lib.mkIf listen.enable [ 65 listen.port 66 ]; 67 68 users.users = lib.mkIf listen.enable ( 69 listen.authorizedKeyFiles 70 |> builtins.mapAttrs ( 71 user: files: { 72 openssh.authorizedKeys.keyFiles = files; 73 } 74 ) 75 ); 76 77 services.sshguard = lib.mkIf listen.enable { 78 enable = true; 79 }; 80 }; 81 }