{ pkgs, lib, config, ... }: let enabled = config.mod.ssh.enable; authorizedKeysPath = "/home/alex/.ssh/authorized-keys"; rootSSHKeyPath = "/etc/ssh"; in { options = { mod.ssh = { enable = lib.mkEnableOption "enable ssh module"; }; }; config = lib.mkIf enabled { home-manager.users.alex = { programs.ssh = { enable = true; matchBlocks = { "codeberg.org" = { hostname = "codeberg.org"; identityFile = "/home/alex/.ssh/alex.backwards-codeberg.org"; }; }; }; }; environment.etc."ssh/authorized_keys_command" = { mode = "0755"; text = '' #!${pkgs.bash}/bin/bash for file in ${authorizedKeysPath}/*; do ${pkgs.coreutils}/bin/cat "$file" done ''; }; services = { openssh = { enable = true; ports = [ 1122 ]; hostKeys = [{ path = "${rootSSHKeyPath}/root.backwards"; type = "ed25519"; }]; settings = { PasswordAuthentication = false; KbdInteractiveAuthentication = false; }; authorizedKeysCommand = "/etc/ssh/authorized_keys_command"; authorizedKeysCommandUser = "root"; }; }; networking = { firewall = { allowedTCPPorts = [ 1122 ]; }; }; age.secrets = { "root.backwards" = { file = ../../../../secrets/backwards/root.backwards.age; path = "${rootSSHKeyPath}/root.backwards"; }; "root.backwards.pub" = { file = ../../../../secrets/backwards/root.backwards.pub.age; path = "${rootSSHKeyPath}/root.backwards.pub"; }; "alex.pinwheel-backwards.pub" = { file = ../../../../secrets/pinwheel/alex.pinwheel-backwards.pub.age; path = "${authorizedKeysPath}/alex.pinwheel-backwards.pub"; }; "alex.backwards-codeberg.org" = { file = ../../../../secrets/backwards/alex.backwards-codeberg.org.age; path = "/home/alex/.ssh/alex.backwards-codeberg.org"; owner = "alex"; group = "users"; }; "alex.backwards-codeberg.org.pub" = { file = ../../../../secrets/backwards/alex.backwards-codeberg.org.pub.age; path = "/home/alex/.ssh/alex.backwards-codeberg.org.pub"; owner = "alex"; group = "users"; }; }; }; }