feat(ssh/openssh): overhauling ssh and openssh modules

2025-09-10 18:50:49 +02:00
parent 00acad3833
commit 65de9592a0
10 changed files with 176 additions and 105 deletions
--- a/modules/nixos/services/openssh/default.nix
+++ b/modules/nixos/services/openssh/default.nix
@@ -1,19 +1,43 @@
 {
  config,
+  outputs,
  lib,
+  self,
  ...
 }:
 let
+  hosts = lib.attrNames outputs.nixosConfigurations;
  inherit (lib) mkIf mkEnableOption;
  cfg = config.nixos.services.openssh;
+
+  hostsWithKeys = builtins.filter (
+    hostname: builtins.pathExists "${self}/hosts/${hostname}/ssh_host_ed25519_key.pub"
+  ) hosts;
 in
 {
  options = {
-    nixos.services.openssh.enable = mkEnableOption "Enables openssh";
+    nixos.services.openssh = {
+      enable = mkEnableOption "Enables openssh";
+    };
  };
+
  config = mkIf cfg.enable {
+    programs.ssh = {
+      knownHosts = lib.genAttrs hostsWithKeys (hostname: {
+        publicKeyFile = "${self}/hosts/${hostname}/ssh_host_ed25519_key.pub";
+      });
+    };
+
    services.openssh = {
      enable = true;
+      settings = {
+        AcceptEnv = "WAYLAND_DISPLAY";
+        GatewayPorts = "clientspecified";
+        PasswordAuthentication = false;
+        PermitRootLogin = "no";
+        StreamLocalBindUnlink = "yes";
+        X11Forwarding = true;
+      };
    };
  };
 }