Commit 0737e3afb1ca

Vincent Demeester <vincent@sbr.pm>
2022-08-21 11:28:06
systems/modules: move ssh from profile to services
And make some option to be set only in kerkouane Signed-off-by: Vincent Demeester <vincent@sbr.pm>
main
1 parent 0c091df
Changed files (4)
systems
hosts
kerkouane.nix
modules
profiles
ssh.nix
services
default.nix
ssh.nix
systems/hosts/kerkouane.nix
@@ -131,10 +131,22 @@ in
 
   profiles = {
     git.enable = true;
-    ssh.enable = true;
+    # ssh.enable = true;
     wireguard.server.enable = true;
   };
 
+  modules.services.ssh = {
+    enable = true;
+    extraConfig = ''
+      Match User nginx
+        ChrootDirectory /var/www
+        ForceCommand interfal-sftp
+        AllowTcpForwarding no
+        PermitTunnel no
+        X11Forwarding no
+    '';
+  };
+
   networking.firewall.allowPing = true;
   networking.firewall.allowedTCPPorts = [ 80 443 ];
   security = {
systems/modules/profiles/ssh.nix
@@ -22,25 +22,10 @@ in
     };
   };
   config = mkIf cfg.enable {
-    services = {
-      openssh = {
-        enable = true;
-        startWhenNeeded = false;
-        forwardX11 = cfg.forwardX11;
-        # listenAddresses = map
-        # Move this for kerkouane only
-        extraConfig = ''
-          StreamLocalBindUnlink yes
-          Match User nginx
-            ChrootDirectory /var/www
-            ForceCommand interfal-sftp
-            AllowTcpForwarding no
-            PermitTunnel no
-            X11Forwarding no
-        '';
-      };
-      sshguard.enable = true;
+    warnings = [ "The option 'profiles.ssh' is deprecated, use 'modules.services.ssh' instead" ];
+    modules.services.ssh = {
+      enable = cfg.enable;
+      listenAddresses = cfg.listenAddresses;
+      forwardX11 = cfg.forwardX11;
     };
-    programs.mosh.enable = true;
-  };
-}
+  }
systems/modules/services/default.nix
@@ -3,6 +3,7 @@
     ./barrier.nix
     ./govanityurl.nix
     ./nix-binary-cache.nix
+    ./ssh.nix
     ./syncthing.nix
     ./wireguard.client.nix
   ];
systems/modules/services/ssh.nix
@@ -0,0 +1,47 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  cfg = config.modules.services.ssh;
+in
+{
+  options = {
+    modules.services.ssh = {
+      enable = mkEnableOption "Enable ssh profile";
+      listenAddresses = mkOption {
+        type = types.listOf types.str;
+        default = [ ];
+      };
+      forwardX11 = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to allow X11 connections to be forwarded.
+        '';
+      };
+      extraConfig = mkOption {
+        type = types.lines;
+        default = "";
+        description = "Verbatim contents of <filename>sshd_config</filename>.";
+      };
+    };
+  };
+  config = mkIf cfg.enable {
+    warnings = [ "The option 'profiles.ssh' is deprecated, use 'modules.services.ssh' instead" ];
+    services = {
+      openssh = {
+        enable = true;
+        startWhenNeeded = false;
+        forwardX11 = cfg.forwardX11;
+        # listenAddresses = map
+        # Move this for kerkouane only
+        extraConfig = ''
+          StreamLocalBindUnlink yes
+          ${cg.extraConfig}
+        '';
+      };
+      sshguard.enable = true;
+    };
+    programs.mosh.enable = true;
+  };
+}