2023-08-10 21:53:21 +00:00
|
|
|
{
|
|
|
|
liminix
|
|
|
|
, dropbear
|
|
|
|
, lib
|
|
|
|
}:
|
2024-08-23 19:35:07 +00:00
|
|
|
{authorizedKeys, ...} @ p :
|
2023-08-10 21:53:21 +00:00
|
|
|
let
|
2024-08-23 19:35:07 +00:00
|
|
|
name = "sshd";
|
2023-08-10 21:53:21 +00:00
|
|
|
inherit (liminix.services) longrun;
|
2024-08-23 19:35:07 +00:00
|
|
|
inherit (lib) concatStringsSep mapAttrs mapAttrsToList;
|
2023-08-10 21:53:21 +00:00
|
|
|
options =
|
|
|
|
[
|
|
|
|
"-e" # pass environment to child
|
|
|
|
"-E" # log to stderr
|
|
|
|
"-R" # create hostkeys if needed
|
|
|
|
"-P /run/dropbear.pid"
|
|
|
|
"-F" # don't fork into background
|
|
|
|
] ++
|
|
|
|
(lib.optional (! p.allowRoot) "-w") ++
|
|
|
|
(lib.optional (! p.allowPasswordLogin) "-s") ++
|
|
|
|
(lib.optional (! p.allowPasswordLoginForRoot) "-g") ++
|
|
|
|
(lib.optional (! p.allowLocalPortForward) "-j") ++
|
|
|
|
(lib.optional (! p.allowRemotePortForward) "-k") ++
|
|
|
|
(lib.optional (! p.allowRemoteConnectionToForwardedPorts) "-a") ++
|
2024-08-23 19:35:07 +00:00
|
|
|
(lib.optionals (authorizedKeys != null)
|
|
|
|
["-U" "/run/${name}/authorized_keys/%n"]) ++
|
2023-08-10 21:53:21 +00:00
|
|
|
[(if p.address != null
|
|
|
|
then "-p ${p.address}:${p.port}"
|
|
|
|
else "-p ${builtins.toString p.port}")] ++
|
|
|
|
[p.extraConfig];
|
2024-08-23 19:35:07 +00:00
|
|
|
authKeysConcat =
|
|
|
|
if authorizedKeys != null
|
|
|
|
then mapAttrs
|
|
|
|
(n : v : concatStringsSep "\\n" v)
|
|
|
|
authorizedKeys
|
|
|
|
else {};
|
2023-08-10 21:53:21 +00:00
|
|
|
in
|
|
|
|
longrun {
|
2024-08-23 19:35:07 +00:00
|
|
|
inherit name;
|
2024-02-13 22:12:26 +00:00
|
|
|
# we need /run/dropbear to point to hostkey storage, as that
|
|
|
|
# pathname is hardcoded into the binary.
|
2023-08-10 21:53:21 +00:00
|
|
|
# env -i clears the environment so we don't pass anything weird to
|
|
|
|
# ssh sessions
|
|
|
|
run = ''
|
2024-02-13 22:12:26 +00:00
|
|
|
ln -s $(mkstate dropbear) /run
|
2024-08-23 19:35:07 +00:00
|
|
|
mkdir -p /run/${name}/authorized_keys
|
|
|
|
${concatStringsSep "\n"
|
|
|
|
(mapAttrsToList
|
|
|
|
(n : v : "echo -e '${v}' > /run/${name}/authorized_keys/${n} ")
|
|
|
|
authKeysConcat
|
|
|
|
)
|
|
|
|
}
|
2023-08-10 21:53:21 +00:00
|
|
|
. /etc/profile # sets PATH but do we need this? it's the same file as ashrc
|
|
|
|
exec env -i ENV=/etc/ashrc PATH=$PATH ${dropbear}/bin/dropbear ${concatStringsSep " " options}
|
|
|
|
'';
|
|
|
|
}
|