feat: add new host rigel

2025-07-07 02:06:34 +05:30 · 2025-02-22 21:10:19 +05:30
parent 55e31c03fc
commit 8f99c087bb
6 changed files with 362 additions and 10 deletions
--- a/modules/droid/sshd.nix
+++ b/modules/droid/sshd.nix
@ -0,0 +1,106 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  # utility functions
+  concatLines = list: builtins.concatStringsSep "\n" list;
+
+  prefixLines = mapper: list: concatLines (map mapper list);
+
+  # could be put in the config
+  configPath = "ssh/sshd_config";
+
+  keysFolder = "/etc/ssh";
+
+  authorizedKeysFolder = "/etc/ssh/authorized_keys.d";
+
+  supportedKeysTypes = [
+    "rsa"
+    "ed25519"
+  ];
+
+  sshd-start-bin = "sshd-start";
+
+  # real config
+  cfg = config.services.openssh;
+
+  pathOfKeyOf = type: "${keysFolder}/ssh_host_${type}_key";
+
+  generateKeyOf = type: ''
+    ${lib.getExe' pkgs.openssh "ssh-keygen"} \
+      -t "${type}" \
+      -f "${pathOfKeyOf type}" \
+      -N ""
+  '';
+
+  generateKeyWhenNeededOf = type: ''
+    if [ ! -f ${pathOfKeyOf type} ]; then
+      mkdir --parents ${keysFolder}
+      ${generateKeyOf type}
+    fi
+  '';
+
+  sshd-start = pkgs.writeScriptBin sshd-start-bin ''
+    #!${pkgs.runtimeShell}
+    ${prefixLines generateKeyWhenNeededOf supportedKeysTypes}
+
+    mkdir --parents "${authorizedKeysFolder}"
+    echo "${lib.concatStringsSep "\n" cfg.authorizedKeys}" > ${authorizedKeysFolder}/${config.user.userName}
+
+    echo "Starting sshd in non-daemonized way on port ${lib.concatMapStrings toString cfg.ports}"
+    ${lib.getExe' pkgs.openssh "sshd"} \
+      -f "/etc/${configPath}" \
+      -D # don't detach into a daemon process
+  '';
+in {
+  options = {
+    services.openssh = {
+      enable = lib.mkEnableOption ''
+        Whether to enable the OpenSSH secure shell daemon, which
+        allows secure remote logins.
+      '';
+
+      ports = lib.mkOption {
+        type = lib.types.listOf lib.types.port;
+        default = [22];
+        description = ''
+          Specifies on which ports the SSH daemon listens.
+        '';
+      };
+
+      authorizedKeys = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = [];
+        description = ''
+          Specify a list of public keys to be added to the authorized_keys file.
+        '';
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.etc = {
+      "${configPath}".text = ''
+        ${prefixLines (port: "Port ${toString port}") cfg.ports}
+
+        AuthorizedKeysFile ${authorizedKeysFolder}/%u
+
+        LogLevel VERBOSE
+      '';
+    };
+
+    environment.packages = [
+      sshd-start
+      pkgs.openssh
+    ];
+
+    build.activationAfter.sshd = ''
+      SERVER_PID=$(${lib.getExe' pkgs.procps "ps"} -a | ${lib.getExe' pkgs.toybox "grep"} sshd || true)
+      if [ -z "$SERVER_PID" ]; then
+        $DRY_RUN_CMD ${lib.getExe sshd-start}
+      fi
+    '';
+  };
+}