pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / networking / tmate-ssh-server.nix
at 23.11-pre 3.6 kB view raw
1{ config, lib, pkgs, ... }: 2with lib; 3let 4 cfg = config.services.tmate-ssh-server; 5 6 defaultKeysDir = "/etc/tmate-ssh-server-keys"; 7 edKey = "${defaultKeysDir}/ssh_host_ed25519_key"; 8 rsaKey = "${defaultKeysDir}/ssh_host_rsa_key"; 9 10 keysDir = 11 if cfg.keysDir == null 12 then defaultKeysDir 13 else cfg.keysDir; 14 15 domain = config.networking.domain; 16in 17{ 18 options.services.tmate-ssh-server = { 19 enable = mkEnableOption (mdDoc "tmate ssh server"); 20 21 package = mkOption { 22 type = types.package; 23 description = mdDoc "The package containing tmate-ssh-server"; 24 defaultText = literalExpression "pkgs.tmate-ssh-server"; 25 default = pkgs.tmate-ssh-server; 26 }; 27 28 host = mkOption { 29 type = types.str; 30 description = mdDoc "External host name"; 31 defaultText = lib.literalExpression "config.networking.domain or config.networking.hostName"; 32 default = 33 if domain == null then 34 config.networking.hostName 35 else 36 domain; 37 }; 38 39 port = mkOption { 40 type = types.port; 41 description = mdDoc "Listen port for the ssh server"; 42 default = 2222; 43 }; 44 45 openFirewall = mkOption { 46 type = types.bool; 47 default = false; 48 description = mdDoc "Whether to automatically open the specified ports in the firewall."; 49 }; 50 51 advertisedPort = mkOption { 52 type = types.port; 53 description = mdDoc "External port advertised to clients"; 54 }; 55 56 keysDir = mkOption { 57 type = with types; nullOr str; 58 description = mdDoc "Directory containing ssh keys, defaulting to auto-generation"; 59 default = null; 60 }; 61 }; 62 63 config = mkIf cfg.enable { 64 65 networking.firewall.allowedTCPPorts = optionals cfg.openFirewall [ cfg.port ]; 66 67 services.tmate-ssh-server = { 68 advertisedPort = mkDefault cfg.port; 69 }; 70 71 environment.systemPackages = 72 let 73 tmate-config = pkgs.writeText "tmate.conf" 74 '' 75 set -g tmate-server-host "${cfg.host}" 76 set -g tmate-server-port ${toString cfg.port} 77 set -g tmate-server-ed25519-fingerprint "@ed25519_fingerprint@" 78 set -g tmate-server-rsa-fingerprint "@rsa_fingerprint@" 79 ''; 80 in 81 [ 82 (pkgs.writeShellApplication { 83 name = "tmate-client-config"; 84 runtimeInputs = with pkgs;[ openssh coreutils sd ]; 85 text = '' 86 RSA_SIG="$(ssh-keygen -l -E SHA256 -f "${keysDir}/ssh_host_rsa_key.pub" | cut -d ' ' -f 2)" 87 ED25519_SIG="$(ssh-keygen -l -E SHA256 -f "${keysDir}/ssh_host_ed25519_key.pub" | cut -d ' ' -f 2)" 88 sd -sp '@ed25519_fingerprint@' "$ED25519_SIG" ${tmate-config} | \ 89 sd -sp '@rsa_fingerprint@' "$RSA_SIG" 90 ''; 91 }) 92 ]; 93 94 systemd.services.tmate-ssh-server = { 95 description = "tmate SSH Server"; 96 after = [ "network.target" ]; 97 wantedBy = [ "multi-user.target" ]; 98 serviceConfig = { 99 ExecStart = "${cfg.package}/bin/tmate-ssh-server -h ${cfg.host} -p ${toString cfg.port} -q ${toString cfg.advertisedPort} -k ${keysDir}"; 100 }; 101 preStart = mkIf (cfg.keysDir == null) '' 102 if [[ ! -d ${defaultKeysDir} ]] 103 then 104 mkdir -p ${defaultKeysDir} 105 fi 106 if [[ ! -f ${edKey} ]] 107 then 108 ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f ${edKey} -N "" 109 fi 110 if [[ ! -f ${rsaKey} ]] 111 then 112 ${pkgs.openssh}/bin/ssh-keygen -t rsa -f ${rsaKey} -N "" 113 fi 114 ''; 115 }; 116 }; 117 118 meta = { 119 maintainers = with maintainers; [ jlesquembre ]; 120 }; 121 122}