nixos/modules/services/networking/tmate-ssh-server.nix at 24.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / networking / tmate-ssh-server.nix
at 24.11-pre 3.4 kB view raw
  1{ config, lib, pkgs, ... }:
  2with lib;
  3let
  4  cfg = config.services.tmate-ssh-server;
  5
  6  defaultKeysDir = "/etc/tmate-ssh-server-keys";
  7  edKey = "${defaultKeysDir}/ssh_host_ed25519_key";
  8  rsaKey = "${defaultKeysDir}/ssh_host_rsa_key";
  9
 10  keysDir =
 11    if cfg.keysDir == null
 12    then defaultKeysDir
 13    else cfg.keysDir;
 14
 15  domain = config.networking.domain;
 16in
 17{
 18  options.services.tmate-ssh-server = {
 19    enable = mkEnableOption "tmate ssh server";
 20
 21    package = mkPackageOption pkgs "tmate-ssh-server" { };
 22
 23    host = mkOption {
 24      type = types.str;
 25      description = "External host name";
 26      defaultText = lib.literalExpression "config.networking.domain or config.networking.hostName";
 27      default =
 28        if domain == null then
 29          config.networking.hostName
 30        else
 31          domain;
 32    };
 33
 34    port = mkOption {
 35      type = types.port;
 36      description = "Listen port for the ssh server";
 37      default = 2222;
 38    };
 39
 40    openFirewall = mkOption {
 41      type = types.bool;
 42      default = false;
 43      description = "Whether to automatically open the specified ports in the firewall.";
 44    };
 45
 46    advertisedPort = mkOption {
 47      type = types.port;
 48      description = "External port advertised to clients";
 49    };
 50
 51    keysDir = mkOption {
 52      type = with types; nullOr str;
 53      description = "Directory containing ssh keys, defaulting to auto-generation";
 54      default = null;
 55    };
 56  };
 57
 58  config = mkIf cfg.enable {
 59
 60    networking.firewall.allowedTCPPorts = optionals cfg.openFirewall [ cfg.port ];
 61
 62    services.tmate-ssh-server = {
 63      advertisedPort = mkDefault cfg.port;
 64    };
 65
 66    environment.systemPackages =
 67      let
 68        tmate-config = pkgs.writeText "tmate.conf"
 69          ''
 70            set -g tmate-server-host "${cfg.host}"
 71            set -g tmate-server-port ${toString cfg.port}
 72            set -g tmate-server-ed25519-fingerprint "@ed25519_fingerprint@"
 73            set -g tmate-server-rsa-fingerprint "@rsa_fingerprint@"
 74          '';
 75      in
 76      [
 77        (pkgs.writeShellApplication {
 78          name = "tmate-client-config";
 79          runtimeInputs = with pkgs;[ openssh coreutils ];
 80          text = ''
 81            RSA_SIG="$(ssh-keygen -l -E SHA256 -f "${keysDir}/ssh_host_rsa_key.pub" | cut -d ' ' -f 2)"
 82            ED25519_SIG="$(ssh-keygen -l -E SHA256 -f "${keysDir}/ssh_host_ed25519_key.pub" | cut -d ' ' -f 2)"
 83            sed "s|@ed25519_fingerprint@|$ED25519_SIG|g" ${tmate-config} | \
 84              sed "s|@rsa_fingerprint@|$RSA_SIG|g"
 85          '';
 86        })
 87      ];
 88
 89    systemd.services.tmate-ssh-server = {
 90      description = "tmate SSH Server";
 91      after = [ "network.target" ];
 92      wantedBy = [ "multi-user.target" ];
 93      serviceConfig = {
 94        ExecStart = "${cfg.package}/bin/tmate-ssh-server -h ${cfg.host} -p ${toString cfg.port} -q ${toString cfg.advertisedPort} -k ${keysDir}";
 95      };
 96      preStart = mkIf (cfg.keysDir == null) ''
 97        if [[ ! -d ${defaultKeysDir} ]]
 98        then
 99          mkdir -p ${defaultKeysDir}
100        fi
101        if [[ ! -f ${edKey} ]]
102        then
103          ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f ${edKey} -N ""
104        fi
105        if [[ ! -f ${rsaKey} ]]
106        then
107          ${pkgs.openssh}/bin/ssh-keygen -t rsa -f ${rsaKey} -N ""
108        fi
109      '';
110    };
111  };
112
113  meta = {
114    maintainers = with maintainers; [ jlesquembre ];
115  };
116
117}