liminix/modules/ssh/ssh.nix

{
  liminix,
  dropbear,
  lib,
  watch-ssh-keys,
}:
{
  address,
  allowLocalPortForward,
  allowPasswordLogin,
  allowPasswordLoginForRoot,
  allowRemoteConnectionToForwardedPorts,
  allowRemotePortForward,
  allowRoot,
  authorizedKeys,
  port,
  extraConfig,
}:
let
  name = "sshd";
  inherit (builtins) toString typeOf;
  inherit (liminix.services) longrun;
  inherit (lib) concatStringsSep mapAttrs mapAttrsToList;
  keydir = "/run/${name}/authorized_keys";
  options =
    [
      "-e" # pass environment to child
      "-E" # log to stderr
      "-R" # create hostkeys if needed
      "-P /run/dropbear.pid"
      "-F" # don't fork into background
    ]
    ++ (lib.optional (!allowRoot) "-w")
    ++ (lib.optional (!allowPasswordLogin) "-s")
    ++ (lib.optional (!allowPasswordLoginForRoot) "-g")
    ++ (lib.optional (!allowLocalPortForward) "-j")
    ++ (lib.optional (!allowRemotePortForward) "-k")
    ++ (lib.optional (!allowRemoteConnectionToForwardedPorts) "-a")
    ++ (lib.optionals (authorizedKeys != null) [
      "-U"
      "${keydir}/%n"
    ])
    ++ [
      (if address != null then "-p ${address}:${toString port}" else "-p ${toString port}")
    ]
    ++ [ extraConfig ];
  isKeyservice = typeOf authorizedKeys == "lambda";
  authKeysConcat =
    if authorizedKeys != null && !isKeyservice then
      mapAttrs (n: v: concatStringsSep "\\n" v) authorizedKeys
    else
      { };
  keyservice = longrun {
    name = "${name}-watch-keys";
    run = ''
      mkdir -p ${keydir}
      exec ${watch-ssh-keys}/bin/watch-ssh-keys -d ${keydir} ${authorizedKeys "service"} ${authorizedKeys "path"}
    '';
    dependencies = [ (authorizedKeys "service") ];
  };
in
longrun {
  inherit name;
  # we need /run/dropbear to point to hostkey storage, as that
  # pathname is hardcoded into the binary.
  # env -i clears the environment so we don't pass anything weird to
  # ssh sessions
  run = ''
    ln -s $(mkstate dropbear) /run
    mkdir -p /run/${name}/authorized_keys
    ${concatStringsSep "\n" (
      mapAttrsToList (n: v: "echo -e '${v}' > /run/${name}/authorized_keys/${n} ") authKeysConcat
    )}
    . /etc/profile # sets PATH but do we need this?  it's the same file as ashrc
    exec env -i ENV=/etc/ashrc PATH=$PATH ${dropbear}/bin/dropbear ${concatStringsSep " " options}
  '';
  dependencies = lib.optional isKeyservice keyservice;
}
add ssh module 2023-08-10 21:53:21 +00:00			`{`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`liminix,`
			`dropbear,`
			`lib,`
			`watch-ssh-keys,`
add ssh module 2023-08-10 21:53:21 +00:00			`}:`
destructure params in ssh service 2024-08-23 22:13:49 +00:00			`{`
			`address,`
			`allowLocalPortForward,`
			`allowPasswordLogin,`
			`allowPasswordLoginForRoot,`
			`allowRemoteConnectionToForwardedPorts,`
			`allowRemotePortForward,`
			`allowRoot,`
			`authorizedKeys,`
			`port,`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`extraConfig,`
destructure params in ssh service 2024-08-23 22:13:49 +00:00			`}:`
add ssh module 2023-08-10 21:53:21 +00:00			`let`
add authorizedKeys option to ssh service this has no apparent use as it stands, but opens the door to having the keys managed by an external secrets service 2024-08-23 19:35:07 +00:00			`name = "sshd";`
sshd can use outputRef for authorized_keys 2024-08-25 15:35:50 +00:00			`inherit (builtins) toString typeOf;`
add ssh module 2023-08-10 21:53:21 +00:00			`inherit (liminix.services) longrun;`
add authorizedKeys option to ssh service this has no apparent use as it stands, but opens the door to having the keys managed by an external secrets service 2024-08-23 19:35:07 +00:00			`inherit (lib) concatStringsSep mapAttrs mapAttrsToList;`
sshd can use outputRef for authorized_keys 2024-08-25 15:35:50 +00:00			`keydir = "/run/${name}/authorized_keys";`
add ssh module 2023-08-10 21:53:21 +00:00			`options =`
			`[`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`"-e" # pass environment to child`
			`"-E" # log to stderr`
			`"-R" # create hostkeys if needed`
add ssh module 2023-08-10 21:53:21 +00:00			`"-P /run/dropbear.pid"`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`"-F" # don't fork into background`
			`]`
			`++ (lib.optional (!allowRoot) "-w")`
			`++ (lib.optional (!allowPasswordLogin) "-s")`
			`++ (lib.optional (!allowPasswordLoginForRoot) "-g")`
			`++ (lib.optional (!allowLocalPortForward) "-j")`
			`++ (lib.optional (!allowRemotePortForward) "-k")`
			`++ (lib.optional (!allowRemoteConnectionToForwardedPorts) "-a")`
			`++ (lib.optionals (authorizedKeys != null) [`
			`"-U"`
			`"${keydir}/%n"`
			`])`
			`++ [`
			`(if address != null then "-p ${address}:${toString port}" else "-p ${toString port}")`
			`]`
			`++ [ extraConfig ];`
sshd can use outputRef for authorized_keys 2024-08-25 15:35:50 +00:00			`isKeyservice = typeOf authorizedKeys == "lambda";`
add authorizedKeys option to ssh service this has no apparent use as it stands, but opens the door to having the keys managed by an external secrets service 2024-08-23 19:35:07 +00:00			`authKeysConcat =`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`if authorizedKeys != null && !isKeyservice then`
			`mapAttrs (n: v: concatStringsSep "\\n" v) authorizedKeys`
			`else`
			`{ };`
sshd can use outputRef for authorized_keys 2024-08-25 15:35:50 +00:00			`keyservice = longrun {`
			`name = "${name}-watch-keys";`
			`run = ''`
			`mkdir -p ${keydir}`
			`exec ${watch-ssh-keys}/bin/watch-ssh-keys -d ${keydir} ${authorizedKeys "service"} ${authorizedKeys "path"}`
			`'';`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`dependencies = [ (authorizedKeys "service") ];`
sshd can use outputRef for authorized_keys 2024-08-25 15:35:50 +00:00			`};`
add ssh module 2023-08-10 21:53:21 +00:00			`in`
			`longrun {`
add authorizedKeys option to ssh service this has no apparent use as it stands, but opens the door to having the keys managed by an external secrets service 2024-08-23 19:35:07 +00:00			`inherit name;`
use mkstate for dropbear keys 2024-02-13 22:12:26 +00:00			`# we need /run/dropbear to point to hostkey storage, as that`
			`# pathname is hardcoded into the binary.`
add ssh module 2023-08-10 21:53:21 +00:00			`# env -i clears the environment so we don't pass anything weird to`
			`# ssh sessions`
			`run = ''`
use mkstate for dropbear keys 2024-02-13 22:12:26 +00:00			`ln -s $(mkstate dropbear) /run`
add authorizedKeys option to ssh service this has no apparent use as it stands, but opens the door to having the keys managed by an external secrets service 2024-08-23 19:35:07 +00:00			`mkdir -p /run/${name}/authorized_keys`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`${concatStringsSep "\n" (`
			`mapAttrsToList (n: v: "echo -e '${v}' > /run/${name}/authorized_keys/${n} ") authKeysConcat`
			`)}`
add ssh module 2023-08-10 21:53:21 +00:00			`. /etc/profile # sets PATH but do we need this? it's the same file as ashrc`
			`exec env -i ENV=/etc/ashrc PATH=$PATH ${dropbear}/bin/dropbear ${concatStringsSep " " options}`
			`'';`
sshd can use outputRef for authorized_keys 2024-08-25 15:35:50 +00:00			`dependencies = lib.optional isKeyservice keyservice;`
add ssh module 2023-08-10 21:53:21 +00:00			`}`