nixos/modules/services/networking/tmate-ssh-server.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / networking / tmate-ssh-server.nix
at 25.11-pre 3.4 kB view raw
  1{
  2  config,
  3  lib,
  4  pkgs,
  5  ...
  6}:
  7with lib;
  8let
  9  cfg = config.services.tmate-ssh-server;
 10
 11  defaultKeysDir = "/etc/tmate-ssh-server-keys";
 12  edKey = "${defaultKeysDir}/ssh_host_ed25519_key";
 13  rsaKey = "${defaultKeysDir}/ssh_host_rsa_key";
 14
 15  keysDir = if cfg.keysDir == null then defaultKeysDir else cfg.keysDir;
 16
 17  domain = config.networking.domain;
 18in
 19{
 20  options.services.tmate-ssh-server = {
 21    enable = mkEnableOption "tmate ssh server";
 22
 23    package = mkPackageOption pkgs "tmate-ssh-server" { };
 24
 25    host = mkOption {
 26      type = types.str;
 27      description = "External host name";
 28      defaultText = lib.literalExpression "config.networking.domain or config.networking.hostName";
 29      default = if domain == null then config.networking.hostName else domain;
 30    };
 31
 32    port = mkOption {
 33      type = types.port;
 34      description = "Listen port for the ssh server";
 35      default = 2222;
 36    };
 37
 38    openFirewall = mkOption {
 39      type = types.bool;
 40      default = false;
 41      description = "Whether to automatically open the specified ports in the firewall.";
 42    };
 43
 44    advertisedPort = mkOption {
 45      type = types.port;
 46      description = "External port advertised to clients";
 47    };
 48
 49    keysDir = mkOption {
 50      type = with types; nullOr str;
 51      description = "Directory containing ssh keys, defaulting to auto-generation";
 52      default = null;
 53    };
 54  };
 55
 56  config = mkIf cfg.enable {
 57
 58    networking.firewall.allowedTCPPorts = optionals cfg.openFirewall [ cfg.port ];
 59
 60    services.tmate-ssh-server = {
 61      advertisedPort = mkDefault cfg.port;
 62    };
 63
 64    environment.systemPackages =
 65      let
 66        tmate-config = pkgs.writeText "tmate.conf" ''
 67          set -g tmate-server-host "${cfg.host}"
 68          set -g tmate-server-port ${toString cfg.port}
 69          set -g tmate-server-ed25519-fingerprint "@ed25519_fingerprint@"
 70          set -g tmate-server-rsa-fingerprint "@rsa_fingerprint@"
 71        '';
 72      in
 73      [
 74        (pkgs.writeShellApplication {
 75          name = "tmate-client-config";
 76          runtimeInputs = with pkgs; [
 77            openssh
 78            coreutils
 79          ];
 80          text = ''
 81            RSA_SIG="$(ssh-keygen -l -E SHA256 -f "${keysDir}/ssh_host_rsa_key.pub" | cut -d ' ' -f 2)"
 82            ED25519_SIG="$(ssh-keygen -l -E SHA256 -f "${keysDir}/ssh_host_ed25519_key.pub" | cut -d ' ' -f 2)"
 83            sed "s|@ed25519_fingerprint@|$ED25519_SIG|g" ${tmate-config} | \
 84              sed "s|@rsa_fingerprint@|$RSA_SIG|g"
 85          '';
 86        })
 87      ];
 88
 89    systemd.services.tmate-ssh-server = {
 90      description = "tmate SSH Server";
 91      after = [ "network.target" ];
 92      wantedBy = [ "multi-user.target" ];
 93      serviceConfig = {
 94        ExecStart = "${cfg.package}/bin/tmate-ssh-server -h ${cfg.host} -p ${toString cfg.port} -q ${toString cfg.advertisedPort} -k ${keysDir}";
 95      };
 96      preStart = mkIf (cfg.keysDir == null) ''
 97        if [[ ! -d ${defaultKeysDir} ]]
 98        then
 99          mkdir -p ${defaultKeysDir}
100        fi
101        if [[ ! -f ${edKey} ]]
102        then
103          ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f ${edKey} -N ""
104        fi
105        if [[ ! -f ${rsaKey} ]]
106        then
107          ${pkgs.openssh}/bin/ssh-keygen -t rsa -f ${rsaKey} -N ""
108        fi
109      '';
110    };
111  };
112
113  meta = {
114    maintainers = with maintainers; [ jlesquembre ];
115  };
116
117}