refactor: seperate module for openssh

2025-07-05 20:56:33 +05:30 · 2025-02-22 08:11:40 +05:30
parent 0cd6576cdf
commit f2fbb6c47d
10 changed files with 87 additions and 22 deletions
--- a/hosts/alpha/default.nix
+++ b/hosts/alpha/default.nix
@ -13,6 +13,8 @@
    ../../modules/nixos/upstream-proxy.nix
  ];

+  tux.services.openssh.enable = true;
+
  sops.secrets = {
    borg_encryption_key = {
      sopsFile = ./secrets.yaml;
--- a/hosts/arcturus/default.nix
+++ b/hosts/arcturus/default.nix
@ -32,6 +32,8 @@
    ../../modules/nixos/containers/cs2.nix
  ];

+  tux.services.openssh.enable = true;
+
  sops.secrets = {
    borg_encryption_key = {
      sopsFile = ./secrets.yaml;
--- a/hosts/canopus/default.nix
+++ b/hosts/canopus/default.nix
@ -21,6 +21,8 @@
    ../../modules/nixos/steam.nix
  ];

+  tux.services.openssh.enable = true;
+
  nixpkgs.config.cudaSupport = true;

  sops.secrets = {
--- a/hosts/capella/default.nix
+++ b/hosts/capella/default.nix
@ -15,6 +15,8 @@
    ../../modules/nixos/containers/cs2.nix
  ];

+  tux.services.openssh.enable = true;
+
  sops.secrets = {
    "cs2_secrets/SRCDS_TOKEN" = {
      sopsFile = ./secrets.yaml;
--- a/hosts/common/default.nix
+++ b/hosts/common/default.nix
@ -3,21 +3,17 @@
  username,
  outputs,
  config,
-  lib,
  inputs,
  email,
  ...
-}: let
-  # Sops needs acess to the keys before the persist dirs are even mounted; so
-  # just persisting the keys won't work, we must point at /persist
-  hasOptinPersistence = config.environment.persistence."/persist".enable;
-in {
+}: {
  imports = [
    inputs.impermanence.nixosModules.impermanence
    inputs.home-manager.nixosModules.home-manager

    ../../modules/nixos/fail2ban.nix
    ../../modules/nixos/sops.nix
+    ../../modules/nixos/networking/ssh.nix
  ];

  sops.secrets.tux-password = {
@ -98,22 +94,6 @@ in {
    };
  };

-  services = {
-    openssh = {
-      enable = true;
-      settings = {
-        PasswordAuthentication = false;
-      };
-
-      hostKeys = [
-        {
-          path = "${lib.optionalString hasOptinPersistence "/persist"}/etc/ssh/ssh_host_ed25519_key";
-          type = "ed25519";
-        }
-      ];
-    };
-  };
-
  users = {
    mutableUsers = false;
    defaultUserShell = pkgs.zsh;
--- a/hosts/homelab/default.nix
+++ b/hosts/homelab/default.nix
@ -19,6 +19,8 @@
    ../../modules/nixos/cyber-tux.nix
  ];

+  tux.services.openssh.enable = true;
+
  sops.secrets = {
    discord_token = {
      sopsFile = ./secrets.yaml;
--- a/hosts/sirius/default.nix
+++ b/hosts/sirius/default.nix
@ -12,6 +12,8 @@
    ../../modules/nixos/virtualisation/docker.nix
  ];

+  tux.services.openssh.enable = true;
+
  boot.binfmt.emulatedSystems = ["aarch64-linux"];

  nixpkgs = {
--- a/hosts/vega/default.nix
+++ b/hosts/vega/default.nix
@ -10,6 +10,8 @@
    ../../modules/nixos/adguard.nix
  ];

+  tux.services.openssh.enable = true;
+
  boot.initrd.availableKernelModules = [
    "usbhid"
    "usb_storage"
--- a/hosts/vps/default.nix
+++ b/hosts/vps/default.nix
@ -14,6 +14,8 @@
    ../common
  ];

+  tux.services.openssh.enable = true;
+
  nixpkgs = {
    hostPlatform = "x86_64-linux";
  };
--- a/modules/nixos/networking/ssh.nix
+++ b/modules/nixos/networking/ssh.nix
@ -0,0 +1,69 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.tux.services.openssh;
+
+  # Sops needs acess to the keys before the persist dirs are even mounted; so
+  # just persisting the keys won't work, we must point at /persist
+  hasOptinPersistence = config.environment.persistence."/persist".enable;
+in {
+  options.tux.services.openssh = {
+    enable = mkEnableOption "Enable OpenSSH server";
+
+    ports = mkOption {
+      type = types.listOf types.port;
+      default = [22];
+      description = ''
+        Specifies on which ports the SSH daemon listens.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.openssh = {
+      enable = true;
+      startWhenNeeded = true;
+      allowSFTP = true;
+      ports = cfg.ports;
+
+      settings = {
+        PermitRootLogin = "no";
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+        AuthenticationMethods = "publickey";
+        PubkeyAuthentication = "yes";
+        ChallengeResponseAuthentication = "no";
+        UsePAM = false;
+        UseDns = false;
+        X11Forwarding = false;
+        KexAlgorithms = [
+          "curve25519-sha256"
+          "curve25519-sha256@libssh.org"
+          "diffie-hellman-group16-sha512"
+          "diffie-hellman-group18-sha512"
+          "sntrup761x25519-sha512@openssh.com"
+          "diffie-hellman-group-exchange-sha256"
+          "mlkem768x25519-sha256"
+          "sntrup761x25519-sha512"
+        ];
+        Macs = [
+          "hmac-sha2-512-etm@openssh.com"
+          "hmac-sha2-256-etm@openssh.com"
+          "umac-128-etm@openssh.com"
+        ];
+        ClientAliveCountMax = 5;
+        ClientAliveInterval = 60;
+      };
+
+      hostKeys = [
+        {
+          path = "${lib.optionalString hasOptinPersistence "/persist"}/etc/ssh/ssh_host_ed25519_key";
+          type = "ed25519";
+        }
+      ];
+    };
+  };
+}