feat(ssh/openssh): overhauling ssh and openssh modules

hosts/default.nix

@@ -20,11 +20,13 @@
       smodPath = "${self}/modules/system";
 
       inherit (inputs.nixpkgs.lib) nixosSystem;
+      inherit (self) outputs;
 
       specialArgs = {
         inherit
           cLib
           inputs
+          outputs
           self
           userConfig
           systemConfig

hosts/kima/ssh_host_ed25519_key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJjoPdpiF8pjKN3ZEHeLEwVxoqwcCdzpVVlZkxJohFdg root@cnix

hosts/sobotka/modules.nix

@@ -65,6 +65,7 @@
       };
       fish = {
         enable = true;
+        homeless.enable = true;
       };
       gamemode = {
         enable = false;

hosts/ziggy/modules.nix

@@ -65,6 +65,7 @@
       };
       fish = {
         enable = true;
+        homeless.enable = true;
       };
       gamemode = {
         enable = false;

modules/home/programs/fish/default.nix

@@ -25,7 +25,6 @@ in
       ];
       shellAbbrs = {
         extract = "extract.sh";
-        nixcleanboot = "sudo nix run /home/$USER/.nix-config#cleanup-boot";
         nixclean = "nh clean all --keep 3";
         nixdev = "nix develop ~/.nix-config -c $SHELL";
         nixup = "nh os switch -H $hostname";

modules/home/programs/ssh/default.nix

@@ -1,9 +1,16 @@
 {
+  outputs,
   config,
   lib,
   ...
 }:
 let
+  nixosConfigs = builtins.attrNames outputs.nixosConfigurations;
+  homeConfigs = map (n: lib.last (lib.splitString "@" n)) (
+    builtins.attrNames outputs.homeConfigurations
+  );
+  hostnames = lib.unique (homeConfigs ++ nixosConfigs);
+
   inherit (lib) mkIf mkEnableOption;
   cfg = config.home.programs.ssh;
 in
@@ -13,8 +20,23 @@ in
   };
   config = mkIf cfg.enable {
     programs.ssh = {
-      enable = true;
+      matchBlocks = {
-      userKnownHostsFile = "~/.ssh/known_hosts";
+        net = {
+          host = lib.concatStringsSep " " (
+            lib.flatten (
+              map (host: [
+                host
+                "${host}.local"
+              ]) hostnames
+            )
+          );
+          extraOptions.StreamLocalBindUnlink = "yes";
+          forwardAgent = true;
+          forwardX11 = true;
+          forwardX11Trusted = true;
+          setEnv.WAYLAND_DISPLAY = "wayland-waypipe";
+        };
+      };
     };
   };
 }

modules/nixos/programs/fish/default.nix

@@ -7,25 +7,26 @@
 let
   inherit (lib.meta) getExe;
   inherit (pkgs) eza bat;
-  inherit (lib) mkIf mkEnableOption;
+  inherit (lib) mkIf mkEnableOption mkMerge;
   cfg = config.nixos.programs.fish;
 in
 {
   options = {
-    nixos.programs.fish.enable = mkEnableOption "Enables fish shell";
+    nixos.programs.fish = {
+      enable = mkEnableOption "Enables fish shell";
+      homeless.enable = mkEnableOption "Enables features for homeless environments";
     };
-  config = mkIf cfg.enable {
+  };
+
+  config = mkMerge [
+    (mkIf cfg.enable {
+      programs.fish.enable = true;
+    })
+
+    (mkIf cfg.homeless.enable {
       programs.fish = {
-      enable = true;
-      # plugins = [
-      #   {
-      #     name = "hydro";
-      #     src = pkgs.fishPlugins.hydro;
-      #   }
-      # ];
         shellAbbrs = {
           extract = "extract.sh";
-        nixcleanboot = "sudo nix run /home/$USER/.nix-config#cleanup-boot";
           nixclean = "nh clean all --keep 3";
           nixdev = "nix develop ~/.nix-config -c $SHELL";
           nixup = "nh os switch -H $hostname";
@@ -54,18 +55,6 @@ in
           # Clear screen and scrollback
           clear = "printf '\\033[2J\\033[3J\\033[1;1H'";
         };
-      # functions = {
-      #   # Disable greeting
-      #   fish_greeting = "";
-      #   # Merge history when pressing up
-      #   up-or-search = lib.readFile ./up-or-search.fish;
-      #   # Check stuff in PATH
-      #   nix-inspect =
-      #     # fish
-      #     ''
-      #       set -s PATH | grep "PATH\[.*/nix/store" | cut -d '|' -f2 |  grep -v -e "-man" -e "-terminfo" | perl -pe 's:^/nix/store/\w{32}-([^/]*)/bin$:\1:' | sort | uniq
-      #     '';
-      # };
         interactiveShellInit =
           # fish
           ''
@@ -107,10 +96,8 @@ in
             set -x fish_pager_color_description   yellow
             set -x fish_pager_color_prefix        'white' '--bold' '--underline'
             set -x fish_pager_color_progress      'brwhite' '--background=cyan'
-
-          microfetch
           '';
-
-    };
       };
+    })
+  ];
 }

modules/nixos/programs/ssh/default.nix

@@ -0,0 +1,34 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  inherit (lib) mkIf mkEnableOption;
+  cfg = config.nixos.services.openssh;
+in
+{
+  options = {
+    nixos.services.openssh = {
+      enable = mkEnableOption "Enables ssh";
+    };
+  };
+  config = mkIf cfg.enable {
+    programs.ssh = {
+      knownHosts = {
+        publicKeyFile = /etc/ssh/ssh_host_ed25519_key.pub;
+      };
+    };
+    services.openssh = {
+      enable = true;
+      settings = {
+        AcceptEnv = "WAYLAND_DISPLAY";
+        GatewayPorts = "clientspecified";
+        PasswordAuthentication = false;
+        PermitRootLogin = "no";
+        StreamLocalBindUnlink = "yes";
+        X11Forwarding = true;
+      };
+    };
+  };
+}

modules/nixos/services/openssh/default.nix

@@ -1,19 +1,43 @@
 {
   config,
+  outputs,
   lib,
+  self,
   ...
 }:
 let
+  hosts = lib.attrNames outputs.nixosConfigurations;
   inherit (lib) mkIf mkEnableOption;
   cfg = config.nixos.services.openssh;
+
+  hostsWithKeys = builtins.filter (
+    hostname: builtins.pathExists "${self}/hosts/${hostname}/ssh_host_ed25519_key.pub"
+  ) hosts;
 in
 {
   options = {
-    nixos.services.openssh.enable = mkEnableOption "Enables openssh";
+    nixos.services.openssh = {
+      enable = mkEnableOption "Enables openssh";
     };
+  };
+
   config = mkIf cfg.enable {
+    programs.ssh = {
+      knownHosts = lib.genAttrs hostsWithKeys (hostname: {
+        publicKeyFile = "${self}/hosts/${hostname}/ssh_host_ed25519_key.pub";
+      });
+    };
+
     services.openssh = {
       enable = true;
+      settings = {
+        AcceptEnv = "WAYLAND_DISPLAY";
+        GatewayPorts = "clientspecified";
+        PasswordAuthentication = false;
+        PermitRootLogin = "no";
+        StreamLocalBindUnlink = "yes";
+        X11Forwarding = true;
+      };
     };
   };
 }

users/cnst/modules/kimamod.nix

@@ -27,7 +27,7 @@
         enable = true;
       };
       fish = {
-        enable = false;
+        enable = true;
       };
       foot = {
         enable = true;