{ pkgs, lib, config, ... }: let enabled = config.mod.ssh.enable; authorizedKeysPath = "/home/alex/.ssh/authorized-keys"; rootSSHKeyPath = "/etc/ssh"; in { options = { mod.ssh = { enable = lib.mkEnableOption "enable ssh module"; }; }; config = lib.mkIf enabled { home-manager.users.alex = { programs.ssh = { enable = true; matchBlocks = { "git.ppp.pm" = { hostname = "git.ppp.pm"; identityFile = "/home/alex/.ssh/alex.manatee-git.ppp.pm"; }; }; }; }; environment.etc."ssh/authorized_keys_command" = { mode = "0755"; text = '' #!${pkgs.bash}/bin/bash for file in ${authorizedKeysPath}/*; do ${pkgs.coreutils}/bin/cat "$file" done ''; }; services = { openssh = { enable = true; ports = [ 1122 ]; hostKeys = [ { path = "${rootSSHKeyPath}/root.manatee"; type = "ed25519"; } ]; settings = { PasswordAuthentication = false; KbdInteractiveAuthentication = false; }; authorizedKeysCommand = "/etc/ssh/authorized_keys_command"; authorizedKeysCommandUser = "root"; }; }; networking = { firewall = { allowedTCPPorts = [ 1122 ]; }; }; age.secrets = { "root.manatee" = { file = ../../../../secrets/manatee/root.manatee.age; path = "${rootSSHKeyPath}/root.manatee"; }; "root.manatee.pub" = { file = ../../../../secrets/manatee/root.manatee.pub.age; path = "${rootSSHKeyPath}/root.manatee.pub"; }; "alex.pinwheel-manatee.pub" = { file = ../../../../secrets/pinwheel/alex.pinwheel-manatee.pub.age; path = "${authorizedKeysPath}/alex.pinwheel-manatee.pub"; }; "alex.backwards-manatee.pub" = { file = ../../../../secrets/backwards/alex.backwards-manatee.pub.age; path = "${authorizedKeysPath}/alex.backwards-manatee.pub"; }; "alex.manatee-git.ppp.pm" = { file = ../../../../secrets/manatee/alex.manatee-git.ppp.pm.age; path = "/home/alex/.ssh/alex.manatee-git.ppp.pm"; owner = "alex"; group = "users"; }; "alex.manatee-git.ppp.pm.pub" = { file = ../../../../secrets/manatee/alex.manatee-git.ppp.pm.pub.age; path = "/home/alex/.ssh/alex.manatee-git.ppp.pm.pub"; owner = "alex"; group = "users"; }; }; }; }