nixos/modules/system/ssh.nix

{
  config,
  pkgs,
  username,
  hostname,
  lib,
  ...
}: let
  # Load all public keys from ../../secrets/hosts/*/id_ed25519.pub
  allHosts = lib.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir ../../secrets/hosts));
  publicKeys = map (x: builtins.readFile (../../secrets/hosts + ("/" + x) + "/id_ed25519.pub")) allHosts;
  workEnabled = config.fireproof.work.enable;
in {
  age.secrets.ssh-key = {
    rekeyFile = ../../secrets/hosts + ("/" + hostname) + /id_ed25519.age;
    path = "/home/" + username + "/.ssh/id_ed25519";
    mode = "0600";
    owner = username;
  };
  age.secrets.ssh-key-ao = lib.mkIf workEnabled {
    rekeyFile = ../../secrets/ssh-key-ao.age;
    mode = "0600";
    owner = username;
  };

  fireproof.home-manager = {
    home.file.".ssh/id_ed25519.pub".source = ../../secrets/hosts + ("/" + hostname) + "/id_ed25519.pub";
    programs.ssh = {
      enable = true;
      enableDefaultConfig = false;
      matchBlocks =
        {
          "*" = {
            identityFile = "${config.age.secrets.ssh-key.path}";
            forwardAgent = true;
            serverAliveInterval = 60;
            serverAliveCountMax = 10;
          };
          homelab = {
            hostname = "x.nickolaj.com";
            user = "nickolaj";
          };
        }
        // lib.optionalAttrs workEnabled {
          # Work hostnames definded in ./networking.nix
          "bastion.ao" = {
            user = "nij";
            identityFile = "${config.age.secrets.ssh-key-ao.path}";
          };
          "clickhouse.ao" = {
            user = "ubuntu";
            hostname = "51.158.205.48";
            identityFile = "${config.age.secrets.ssh-key-ao.path}";
          };
          "flex.ao" = {
            user = "nij";
            hostname = "192.168.2.5";
            proxyJump = "bastion.ao";
            identityFile = "${config.age.secrets.ssh-key-ao.path}";
          };
          "scw.ao" = {
            user = "nij";
            hostname = "51.15.81.1";
            proxyJump = lib.mkDefault "dev.ao";
            identityFile = "${config.age.secrets.ssh-key-ao.path}";
          };
          "dev.ao" = {
            user = "nij";
            hostname = "192.168.2.28";
            proxyJump = lib.mkDefault "bastion.ao";
            identityFile = "${config.age.secrets.ssh-key-ao.path}";
          };
          "staging.ao" = {
            user = "staging";
            hostname = "172.16.2.102";
            proxyJump = lib.mkDefault "bastion.ao";
            identityFile = "${config.age.secrets.ssh-key-ao.path}";
          };
        };
    };
  };

  programs.ssh.startAgent = true;
  services.gnome.gcr-ssh-agent.enable = false;

  services.openssh = {
    enable = true;
    settings.PasswordAuthentication = false;
    settings.KbdInteractiveAuthentication = false;
  };

  systemd.user.services."add-ssh-keys" = lib.mkIf workEnabled {
    description = "Add SSH keys to ssh-agent";
    after = ["network.target" "ssh-agent.service"];
    requires = ["ssh-agent.service"];
    wantedBy = ["default.target"];
    serviceConfig = {
      Type = "oneshot";
      ExecStartPre = ''
        ${pkgs.coreutils}/bin/sleep 5
      '';
      ExecStart = ''
        ${pkgs.openssh}/bin/ssh-add -q ${config.age.secrets.ssh-key-ao.path}
      '';
    };
  };

  users.users.${username}.openssh.authorizedKeys.keys = publicKeys;
}
complete rework v3 2025-02-18 20:17:57 +01:00			`{`
			`config,`
feat: add systemd service to register ssh-keys 2025-10-24 08:16:19 +02:00			`pkgs,`
complete rework v3 2025-02-18 20:17:57 +01:00			`username,`
			`hostname,`
			`lib,`
			`...`
			`}: let`
update 2025-02-20 22:50:06 +01:00			`# Load all public keys from ../../secrets/hosts/*/id_ed25519.pub`
			`allHosts = lib.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir ../../secrets/hosts));`
			`publicKeys = map (x: builtins.readFile (../../secrets/hosts + ("/" + x) + "/id_ed25519.pub")) allHosts;`
refactor: split base and system module 2025-12-12 04:17:02 +01:00			`workEnabled = config.fireproof.work.enable;`
complete rework v3 2025-02-18 20:17:57 +01:00			`in {`
			`age.secrets.ssh-key = {`
update 2025-02-20 22:50:06 +01:00			`rekeyFile = ../../secrets/hosts + ("/" + hostname) + /id_ed25519.age;`
			`path = "/home/" + username + "/.ssh/id_ed25519";`
complete rework v3 2025-02-18 20:17:57 +01:00			`mode = "0600";`
			`owner = username;`
			`};`
refactor: split base and system module 2025-12-12 04:17:02 +01:00			`age.secrets.ssh-key-ao = lib.mkIf workEnabled {`
update 2025-02-20 22:50:06 +01:00			`rekeyFile = ../../secrets/ssh-key-ao.age;`
complete rework v3 2025-02-18 20:17:57 +01:00			`mode = "0600";`
			`owner = username;`
			`};`
fix: formatting 2025-11-26 08:56:56 +01:00
complete rework v3 2025-02-18 20:17:57 +01:00			`fireproof.home-manager = {`
update 2025-02-20 22:50:06 +01:00			`home.file.".ssh/id_ed25519.pub".source = ../../secrets/hosts + ("/" + hostname) + "/id_ed25519.pub";`
complete rework v3 2025-02-18 20:17:57 +01:00			`programs.ssh = {`
			`enable = true;`
chore: fix deprecation warnings 2025-12-12 04:41:03 +01:00			`enableDefaultConfig = false;`
refactor: move homelab config to module 2025-12-12 04:30:57 +01:00			`matchBlocks =`
			`{`
			`"*" = {`
			`identityFile = "${config.age.secrets.ssh-key.path}";`
chore: fix deprecation warnings 2025-12-12 04:41:03 +01:00			`forwardAgent = true;`
			`serverAliveInterval = 60;`
			`serverAliveCountMax = 10;`
refactor: move homelab config to module 2025-12-12 04:30:57 +01:00			`};`
			`homelab = {`
			`hostname = "x.nickolaj.com";`
			`user = "nickolaj";`
			`};`
			`}`
			`// lib.optionalAttrs workEnabled {`
			`# Work hostnames definded in ./networking.nix`
			`"bastion.ao" = {`
			`user = "nij";`
			`identityFile = "${config.age.secrets.ssh-key-ao.path}";`
			`};`
			`"clickhouse.ao" = {`
			`user = "ubuntu";`
			`hostname = "51.158.205.48";`
			`identityFile = "${config.age.secrets.ssh-key-ao.path}";`
			`};`
			`"flex.ao" = {`
			`user = "nij";`
			`hostname = "192.168.2.5";`
			`proxyJump = "bastion.ao";`
			`identityFile = "${config.age.secrets.ssh-key-ao.path}";`
			`};`
			`"scw.ao" = {`
			`user = "nij";`
			`hostname = "51.15.81.1";`
			`proxyJump = lib.mkDefault "dev.ao";`
			`identityFile = "${config.age.secrets.ssh-key-ao.path}";`
			`};`
			`"dev.ao" = {`
			`user = "nij";`
			`hostname = "192.168.2.28";`
			`proxyJump = lib.mkDefault "bastion.ao";`
			`identityFile = "${config.age.secrets.ssh-key-ao.path}";`
			`};`
			`"staging.ao" = {`
			`user = "staging";`
			`hostname = "172.16.2.102";`
			`proxyJump = lib.mkDefault "bastion.ao";`
			`identityFile = "${config.age.secrets.ssh-key-ao.path}";`
			`};`
complete rework v3 2025-02-18 20:17:57 +01:00			`};`
			`};`
			`};`

complete rework v2 2025-02-03 07:55:17 +01:00			`programs.ssh.startAgent = true;`
feat: move to dms and remove hyprland completely 2025-12-12 03:38:32 +01:00			`services.gnome.gcr-ssh-agent.enable = false;`
chore: update nixos version 2025-12-08 13:13:18 +01:00
complete rework v2 2025-02-03 07:55:17 +01:00			`services.openssh = {`
			`enable = true;`
			`settings.PasswordAuthentication = false;`
			`settings.KbdInteractiveAuthentication = false;`
			`};`

refactor: split base and system module 2025-12-12 04:17:02 +01:00			`systemd.user.services."add-ssh-keys" = lib.mkIf workEnabled {`
feat: add systemd service to register ssh-keys 2025-10-24 08:16:19 +02:00			`description = "Add SSH keys to ssh-agent";`
fix: formatting 2025-11-26 08:56:56 +01:00			`after = ["network.target" "ssh-agent.service"];`
			`requires = ["ssh-agent.service"];`
			`wantedBy = ["default.target"];`
feat: add systemd service to register ssh-keys 2025-10-24 08:16:19 +02:00			`serviceConfig = {`
			`Type = "oneshot";`
fix: formatting 2025-11-26 08:56:56 +01:00			`ExecStartPre = ''`
			`${pkgs.coreutils}/bin/sleep 5`
feat: add systemd service to register ssh-keys 2025-10-24 08:16:19 +02:00			`'';`
			`ExecStart = ''`
			`${pkgs.openssh}/bin/ssh-add -q ${config.age.secrets.ssh-key-ao.path}`
			`'';`
			`};`
			`};`

complete rework v3 2025-02-18 20:17:57 +01:00			`users.users.${username}.openssh.authorizedKeys.keys = publicKeys;`
complete rework v2 2025-02-03 07:55:17 +01:00			`}`