feat(ssh): add enable option

home/hosts/andromache/default.nix

@@ -59,6 +59,7 @@
   shell.bash.aliases.lang-js = true;
   shell.bash.addBinToPath = true;
   audio.enable = true;
+  ssh.enable = true;
   music.enable = true;
   terminal.enable = true;
   devenv.enable = true;

home/hosts/astyanax/default.nix

@@ -56,6 +56,7 @@
   shell.bash.addBinToPath = true;
   my.yubikey.enable = true;
   audio.enable = true;
+  ssh.enable = true;
   music.enable = true;
   terminal.enable = true;
   devenv.enable = true;

home/modules/ssh/default.nix

@@ -1,10 +1,13 @@
 {
-  myUtils,
+  config,
   lib,
   pkgs,
+  myUtils,
   ...
 }:
+
 let
+  cfg = config.ssh;
   hostDir = ../../hosts;
   hostNames = myUtils.dirNames hostDir;
   hostsWithKeys = lib.filter (
@@ -12,31 +15,35 @@ let
   ) hostNames;
 in
 {
-  home.packages = with pkgs; [ sshfs ];
+  options.ssh.enable = lib.mkEnableOption "ssh";
 
-  programs.ssh = {
+  config = lib.mkIf cfg.enable {
-    enable = true;
+    home.packages = with pkgs; [ sshfs ];
-    enableDefaultConfig = false;
 
-    matchBlocks =
+    programs.ssh = {
-      lib.genAttrs hostsWithKeys (
+      enable = true;
-        hostname:
+      enableDefaultConfig = false;
-        let
+
-          meta = myUtils.hostMeta (hostDir + "/${hostname}");
+      matchBlocks =
-        in
+        lib.genAttrs hostsWithKeys (
-        {
+          hostname:
-          host = hostname;
+          let
-          user = meta.deployment.targetUser;
+            meta = myUtils.hostMeta (hostDir + "/${hostname}");
-        }
+          in
-        // lib.optionalAttrs (meta.deployment.targetHost != "") {
+          {
-          hostname = meta.deployment.targetHost;
+            host = hostname;
-        }
+            user = meta.deployment.targetUser;
-      )
+          }
-      // {
+          // lib.optionalAttrs (meta.deployment.targetHost != "") {
-        "*" = {
+            hostname = meta.deployment.targetHost;
-          addKeysToAgent = "yes";
+          }
-          forwardAgent = false;
+        )
+        // {
+          "*" = {
+            addKeysToAgent = "yes";
+            forwardAgent = false;
+          };
         };
-      };
+    };
   };
 }

modules/ssh/authorized-keys.nix

@@ -16,16 +16,17 @@ in
     };
   };
 
-  # auto generate authorized_keys from `authorizedHosts`
+  config = lib.mkIf config.ssh.enable {
-  config.users.users.${username}.openssh.authorizedKeys.keys =
+    users.users.${username}.openssh.authorizedKeys.keys =
-    lib.flatten (
+      lib.flatten (
-      map (
+        map (
-        hostname:
+          hostname:
-        let
+          let
-          keyFile = ../../hosts/${hostname}/ssh_user.pub;
+            keyFile = ../../hosts/${hostname}/ssh_user.pub;
-        in
+          in
-        lib.optionals (builtins.pathExists keyFile) (lib.splitString "\n" (builtins.readFile keyFile))
+          lib.optionals (builtins.pathExists keyFile) (lib.splitString "\n" (builtins.readFile keyFile))
-      ) ((builtins.filter (h: h != config.host.name) adminHosts) ++ config.ssh.authorizedHosts)
+        ) ((builtins.filter (h: h != config.host.name) adminHosts) ++ config.ssh.authorizedHosts)
-    )
+      )
-    ++ lib.splitString "\n" (builtins.readFile ./ssh_bak.pub);
+      ++ lib.splitString "\n" (builtins.readFile ./ssh_bak.pub);
+  };
 }

modules/ssh/default.nix

@@ -1,10 +1,17 @@
-{ lib, ... }:
+{ lib, config, ... }:
 
+let
+  cfg = config.ssh;
+in
 {
   imports = [ ./hardened-openssh.nix ];
 
-  config.services.openssh = {
+  options.ssh.enable = lib.mkEnableOption "SSH server";
-    enable = lib.mkDefault true;
+
-    harden = lib.mkDefault true;
+  config = lib.mkIf cfg.enable {
+    services.openssh = {
+      enable = lib.mkDefault true;
+      harden = lib.mkDefault true;
+    };
   };
 }

modules/ssh/extract-keys.nix

@@ -1,32 +1,34 @@
 { lib, config, ... }:
+
 let
   inherit (config.host) username;
 in
 {
-  # auto extract SSH keys
+  config = lib.mkIf config.ssh.enable {
-  system.activationScripts.extractSshKeys = lib.stringAfter [ "etc" ] ''
+    system.activationScripts.extractSshKeys = lib.stringAfter [ "etc" ] ''
-    HOST_KEY="/etc/ssh/ssh_host_ed25519_key.pub"
+      HOST_KEY="/etc/ssh/ssh_host_ed25519_key.pub"
-    HOST_DIR="/home/${username}/nix/hosts/${config.networking.hostName}"
+      HOST_DIR="/home/${username}/nix/hosts/${config.networking.hostName}"
 
-    if [ -f "$HOST_KEY" ] && [ -d "$HOST_DIR" ]; then
+      if [ -f "$HOST_KEY" ] && [ -d "$HOST_DIR" ]; then
-      cp "$HOST_KEY" "$HOST_DIR/ssh_host.pub"
+        cp "$HOST_KEY" "$HOST_DIR/ssh_host.pub"
-      chown ${username}:users "$HOST_DIR/ssh_host.pub"
+        chown ${username}:users "$HOST_DIR/ssh_host.pub"
-      chmod 644 "$HOST_DIR/ssh_host.pub"
+        chmod 644 "$HOST_DIR/ssh_host.pub"
-    fi
-
-    USER_KEY=""
-    for candidate in \
-        "/home/${username}/.ssh/id_ed25519_sk.pub" \
-        "/home/${username}/.ssh/id_ed25519.pub"; do
-      if [ -f "$candidate" ]; then
-        USER_KEY="$candidate"
-        break
       fi
-    done
+
-    if [ -n "$USER_KEY" ] && [ -d "$HOST_DIR" ]; then
+      USER_KEY=""
-      cp "$USER_KEY" "$HOST_DIR/ssh_user.pub"
+      for candidate in \
-      chown ${username}:users "$HOST_DIR/ssh_user.pub"
+          "/home/${username}/.ssh/id_ed25519_sk.pub" \
-      chmod 644 "$HOST_DIR/ssh_user.pub"
+          "/home/${username}/.ssh/id_ed25519.pub"; do
-    fi
+        if [ -f "$candidate" ]; then
-  '';
+          USER_KEY="$candidate"
+          break
+        fi
+      done
+      if [ -n "$USER_KEY" ] && [ -d "$HOST_DIR" ]; then
+        cp "$USER_KEY" "$HOST_DIR/ssh_user.pub"
+        chown ${username}:users "$HOST_DIR/ssh_user.pub"
+        chmod 644 "$HOST_DIR/ssh_user.pub"
+      fi
+    '';
+  };
 }

modules/ssh/hardened-openssh.nix

@@ -1,5 +1,7 @@
 { lib, config, ... }:
+
 with lib;
+
 let
   cfg = config.services.openssh;
 in
@@ -13,7 +15,7 @@ in
   options.services.openssh.harden = mkEnableOption "harden ssh server configuration";
 
   config = {
-    networking.firewall.allowedTCPPorts = [ 22 ];
+    networking.firewall.allowedTCPPorts = lib.mkIf config.ssh.enable [ 22 ];
 
     services.openssh.settings = optionalAttrs cfg.harden {
       PermitRootLogin = "no";

modules/ssh/known-hosts.nix

@@ -4,6 +4,7 @@
   outputs,
   ...
 }:
+
 let
   hosts = lib.attrNames outputs.nixosConfigurations;
   hostsWithKeys = lib.filter (
@@ -11,9 +12,10 @@ let
   ) hosts;
 in
 {
-  # auto generate known_hosts for all hosts in flake
+  config = lib.mkIf config.ssh.enable {
-  programs.ssh.knownHosts = lib.genAttrs hostsWithKeys (hostname: {
+    programs.ssh.knownHosts = lib.genAttrs hostsWithKeys (hostname: {
-    publicKeyFile = ../../hosts/${hostname}/ssh_host.pub;
+      publicKeyFile = ../../hosts/${hostname}/ssh_host.pub;
-    extraHostNames = lib.optional (hostname == config.networking.hostName) "localhost";
+      extraHostNames = lib.optional (hostname == config.networking.hostName) "localhost";
-  });
+    });
+  };
 }