satellite/hosts/nixos/common/global/services/openssh.nix

# This setups a SSH server.
{
  outputs,
  config,
  lib,
  ...
}:
let
  # Record containing all the hosts
  hosts = outputs.nixosConfigurations;

  # Name of the current hostname
  hostname = config.networking.hostName;

  # Function from hostname to relative path to public ssh key
  pubKey = host: ../../${host}/keys/ssh_host_ed25519_key.pub;
in
{
  services.openssh = {
    enable = true;

    settings = {
      PermitRootLogin = lib.mkDefault "no"; # Forbid root login through SSH.
      PasswordAuthentication = lib.mkDefault false; # Use keys only.
    };

    # Automatically remove stale sockets
    extraConfig = ''
      StreamLocalBindUnlink yes
    '';

    # Generate ssh key
    hostKeys =
      let
        mkKey =
          type: path: extra:
          { inherit type path; } // extra;
      in
      [
        (mkKey "ed25519" "/persist/state/etc/ssh/ssh_host_ed25519_key" { })
        (mkKey "rsa" "/persist/state/etc/ssh/ssh_host_rsa_key" { bits = 4096; })
      ];
  };

  # Add each host in this repo to the knownHosts list
  programs.ssh = {
    knownHosts = lib.pipe hosts [
      # attrsetof host -> attrsetof { ... }
      (builtins.mapAttrs
        # string -> host -> { ... }
        (
          name: _: {
            publicKeyFile = pubKey name;
            extraHostNames = lib.optional (name == hostname) "localhost";
          }
        )
      )

      # attrsetof { ... } -> attrsetof { ... }
      (lib.attrsets.filterAttrs
        # string -> { ... } -> bool
        (_: { publicKeyFile, ... }: builtins.pathExists publicKeyFile)
      )
    ];
  };

  # By default, this will ban failed ssh attempts
  services.fail2ban.enable = lib.mkDefault true;

  # Makes it easy to copy host keys at install time without messing up permissions
  systemd.tmpfiles.rules = [
    "d /persist/state/etc/ssh"
  ] ++ (lib.lists.forEach config.services.openssh.hostKeys (key: "e ${key.path} 0700"));
}
Prepare calypso install 2024-08-26 17:38:47 +02:00			`# This setups a SSH server.`
			`{`
			`outputs,`
			`config,`
			`lib,`
			`...`
			`}:`
Added so much stuff 2023-01-10 02:38:06 +01:00			`let`
			`# Record containing all the hosts`
			`hosts = outputs.nixosConfigurations;`

			`# Name of the current hostname`
			`hostname = config.networking.hostName;`

			`# Function from hostname to relative path to public ssh key`
Integrated nixos-hardware, more ricing, and much more 2023-08-17 09:31:46 +02:00			`pubKey = host: ../../${host}/keys/ssh_host_ed25519_key.pub;`
Added so much stuff 2023-01-10 02:38:06 +01:00			`in`
			`{`
			`services.openssh = {`
			`enable = true;`

Backup 2023-06-15 20:08:20 +02:00			`settings = {`
Prepare calypso install 2024-08-26 17:38:47 +02:00			`PermitRootLogin = lib.mkDefault "no"; # Forbid root login through SSH.`
			`PasswordAuthentication = lib.mkDefault false; # Use keys only.`
Backup 2023-06-15 20:08:20 +02:00			`};`
Added so much stuff 2023-01-10 02:38:06 +01:00
			`# Automatically remove stale sockets`
			`extraConfig = ''`
			`StreamLocalBindUnlink yes`
			`'';`

			`# Generate ssh key`
Set up the basics of imperanence 2023-04-27 01:08:20 +02:00			`hostKeys =`
Prepare calypso install 2024-08-26 17:38:47 +02:00			`let`
			`mkKey =`
			`type: path: extra:`
			`{ inherit type path; } // extra;`
Set up the basics of imperanence 2023-04-27 01:08:20 +02:00			`in`
			`[`
Hyprpaper module 2023-06-09 13:17:34 +02:00			`(mkKey "ed25519" "/persist/state/etc/ssh/ssh_host_ed25519_key" { })`
			`(mkKey "rsa" "/persist/state/etc/ssh/ssh_host_rsa_key" { bits = 4096; })`
Set up the basics of imperanence 2023-04-27 01:08:20 +02:00			`];`
Added so much stuff 2023-01-10 02:38:06 +01:00			`};`

			`# Add each host in this repo to the knownHosts list`
			`programs.ssh = {`
Started working on guest@euporie 2023-05-28 02:00:10 +02:00			`knownHosts = lib.pipe hosts [`
			`# attrsetof host -> attrsetof { ... }`
			`(builtins.mapAttrs`
			`# string -> host -> { ... }`
Prepare calypso install 2024-08-26 17:38:47 +02:00			`(`
			`name: _: {`
			`publicKeyFile = pubKey name;`
			`extraHostNames = lib.optional (name == hostname) "localhost";`
			`}`
			`)`
			`)`
Started working on guest@euporie 2023-05-28 02:00:10 +02:00
			`# attrsetof { ... } -> attrsetof { ... }`
Tried setting up a vm machine 2023-05-28 05:24:36 +02:00			`(lib.attrsets.filterAttrs`
Started working on guest@euporie 2023-05-28 02:00:10 +02:00			`# string -> { ... } -> bool`
Prepare calypso install 2024-08-26 17:38:47 +02:00			`(_: { publicKeyFile, ... }: builtins.pathExists publicKeyFile)`
			`)`
Started working on guest@euporie 2023-05-28 02:00:10 +02:00			`];`
Added so much stuff 2023-01-10 02:38:06 +01:00			`};`
Set up initial whoogle config 2024-01-18 07:44:16 +01:00
Fail2ban, more wallpapers, better lua theming & more 2024-04-13 22:42:29 +02:00			`# By default, this will ban failed ssh attempts`
Fail2ban keeps annoying me when debugging ssh stuff sldkjfslkdjfs 2024-11-09 13:19:49 +01:00			`services.fail2ban.enable = lib.mkDefault true;`
Fail2ban, more wallpapers, better lua theming & more 2024-04-13 22:42:29 +02:00
Set up initial whoogle config 2024-01-18 07:44:16 +01:00			`# Makes it easy to copy host keys at install time without messing up permissions`
Finalize calypso install! 2024-08-26 23:30:04 +02:00			`systemd.tmpfiles.rules = [`
			`"d /persist/state/etc/ssh"`
			`] ++ (lib.lists.forEach config.services.openssh.hostKeys (key: "e ${key.path} 0700"));`
Added so much stuff 2023-01-10 02:38:06 +01:00			`}`