From 45d41414e655cd61bde52402e0a73e1b7bf55333 Mon Sep 17 00:00:00 2001 From: arcnmx Date: Tue, 16 Apr 2024 03:05:36 -0700 Subject: [PATCH] feat(exports): sshd service --- modules/system/exports/sshd.nix | 41 ++++++++++++++++++++++++++++++++ systems/aya/default.nix | 1 + systems/ct/default.nix | 5 ++++ systems/freeipa/default.nix | 4 ++++ systems/freepbx/default.nix | 4 ++++ systems/hakurei/default.nix | 8 +++++++ systems/keycloak/default.nix | 1 + systems/kitchencam/default.nix | 4 ++++ systems/kuwubernetes/default.nix | 5 ++++ systems/litterbox/default.nix | 1 + systems/mediabox/default.nix | 1 + systems/reimu/default.nix | 1 + systems/tei/default.nix | 1 + systems/utsuho/default.nix | 1 + 14 files changed, 78 insertions(+) create mode 100644 modules/system/exports/sshd.nix diff --git a/modules/system/exports/sshd.nix b/modules/system/exports/sshd.nix new file mode 100644 index 00000000..34bc219c --- /dev/null +++ b/modules/system/exports/sshd.nix @@ -0,0 +1,41 @@ +{lib, gensokyo-zone, ...}: let + inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault; + inherit (lib.modules) mkIf; + inherit (lib.attrsets) mapAttrs filterAttrs mapAttrsToList; + inherit (lib.lists) sort; +in { + config.exports.services.sshd = { config, ... }: let + mkAssertion = f: nixosConfig: let + cfg = nixosConfig.services.openssh; + in f nixosConfig cfg; + sorted = sort (a: b: a > b); + assertPorts = nixosConfig: cfg: let + nixosPorts = cfg.ports; + enabledPorts = filterAttrs (_: port: port.enable) config.ports; + servicePorts = mapAttrsToList (_: port: port.port) enabledPorts; + in { + assertion = sorted nixosPorts == sorted servicePorts; + message = "port mismatch: ${toString nixosPorts} != ${toString servicePorts}"; + }; + in { + id = mkAlmostOptionDefault "ssh"; + nixos = { + serviceAttr = "openssh"; + assertions = mkIf config.enable [ + (mkAssertion assertPorts) + ]; + }; + defaults.port.listen = mkAlmostOptionDefault "wan"; + ports = mapAttrs (_: mapAlmostOptionDefaults) { + public = { + port = 62954; + transport = "tcp"; + }; + standard = { + port = 22; + transport = "tcp"; + listen = "lan"; + }; + }; + }; +} diff --git a/systems/aya/default.nix b/systems/aya/default.nix index dfed7948..cb8a7a98 100644 --- a/systems/aya/default.nix +++ b/systems/aya/default.nix @@ -9,6 +9,7 @@ _: { ]; exports = { services = { + sshd.enable = true; tailscale.enable = true; }; }; diff --git a/systems/ct/default.nix b/systems/ct/default.nix index 8760b2a2..a9f80db6 100644 --- a/systems/ct/default.nix +++ b/systems/ct/default.nix @@ -11,4 +11,9 @@ _: { address6 = null; }; }; + exports = { + services = { + sshd.enable = true; + }; + }; } diff --git a/systems/freeipa/default.nix b/systems/freeipa/default.nix index f8fa3461..743b539e 100644 --- a/systems/freeipa/default.nix +++ b/systems/freeipa/default.nix @@ -32,6 +32,10 @@ _: { }; exports = { services = { + sshd = { + enable = true; + ports.public.enable = false; + }; freeipa.enable = true; ldap.enable = true; kerberos.enable = true; diff --git a/systems/freepbx/default.nix b/systems/freepbx/default.nix index cc6054df..fb17c1b0 100644 --- a/systems/freepbx/default.nix +++ b/systems/freepbx/default.nix @@ -16,6 +16,10 @@ _: { }; exports = { services = { + sshd = { + enable = true; + ports.public.enable = false; + }; freepbx.enable = true; }; }; diff --git a/systems/hakurei/default.nix b/systems/hakurei/default.nix index b4cc01eb..e1174fa8 100644 --- a/systems/hakurei/default.nix +++ b/systems/hakurei/default.nix @@ -24,6 +24,14 @@ _: { enable = true; id = "login.local"; }; + sshd = { + enable = true; + ports.global = { + port = 41022; + transport = "tcp"; + listen = "wan"; + }; + }; }; exports = { plex.enable = true; diff --git a/systems/keycloak/default.nix b/systems/keycloak/default.nix index 9883aa89..28166e86 100644 --- a/systems/keycloak/default.nix +++ b/systems/keycloak/default.nix @@ -9,6 +9,7 @@ _: { ]; exports = { services = { + sshd.enable = true; keycloak.enable = true; vouch-proxy.enable = true; }; diff --git a/systems/kitchencam/default.nix b/systems/kitchencam/default.nix index f47d7670..5f19260b 100644 --- a/systems/kitchencam/default.nix +++ b/systems/kitchencam/default.nix @@ -17,6 +17,10 @@ _: { }; exports = { services = { + sshd = { + enable = true; + ports.public.enable = false; + }; motion = { id = "kitchen"; enable = true; diff --git a/systems/kuwubernetes/default.nix b/systems/kuwubernetes/default.nix index 40558a4b..8182fe80 100644 --- a/systems/kuwubernetes/default.nix +++ b/systems/kuwubernetes/default.nix @@ -19,4 +19,9 @@ _: { }; }; }; + exports = { + services = { + sshd.enable = true; + }; + }; } diff --git a/systems/litterbox/default.nix b/systems/litterbox/default.nix index dfed7948..cb8a7a98 100644 --- a/systems/litterbox/default.nix +++ b/systems/litterbox/default.nix @@ -9,6 +9,7 @@ _: { ]; exports = { services = { + sshd.enable = true; tailscale.enable = true; }; }; diff --git a/systems/mediabox/default.nix b/systems/mediabox/default.nix index 28997677..bb74d79a 100644 --- a/systems/mediabox/default.nix +++ b/systems/mediabox/default.nix @@ -9,6 +9,7 @@ _: { ]; exports = { services = { + sshd.enable = true; plex.enable = true; invidious.enable = true; }; diff --git a/systems/reimu/default.nix b/systems/reimu/default.nix index 795b5857..ec9c3369 100644 --- a/systems/reimu/default.nix +++ b/systems/reimu/default.nix @@ -9,6 +9,7 @@ _: { ]; exports = { services = { + sshd.enable = true; tailscale.enable = true; nfs.enable = true; }; diff --git a/systems/tei/default.nix b/systems/tei/default.nix index 44bea27e..803d26d0 100644 --- a/systems/tei/default.nix +++ b/systems/tei/default.nix @@ -9,6 +9,7 @@ _: { ]; exports = { services = { + sshd.enable = true; tailscale.enable = true; home-assistant.enable = true; zigbee2mqtt.enable = true; diff --git a/systems/utsuho/default.nix b/systems/utsuho/default.nix index 879dfb0f..37ef9195 100644 --- a/systems/utsuho/default.nix +++ b/systems/utsuho/default.nix @@ -9,6 +9,7 @@ _: { ]; exports = { services = { + sshd.enable = true; unifi.enable = true; mosquitto.enable = true; dnsmasq.enable = true;