From 21e84bb162c651f59a3fdb11e2dfd2ea71823366 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Motiejus=20Jak=C5=A1tys?= <motiejus@jakstys.lt>
Date: Sun, 25 Aug 2024 11:07:35 +0300
Subject: [PATCH] ssh8022: split client and server

---
 flake.nix                            | 24 -----------
 hosts/fwminex/configuration.nix      | 11 ++++-
 hosts/mtworx/configuration.nix       | 11 ++++-
 modules/services/ssh8022/default.nix | 62 ++++++++++++++++++----------
 4 files changed, 60 insertions(+), 48 deletions(-)

diff --git a/flake.nix b/flake.nix
index b0348d4..60e3453 100644
--- a/flake.nix
+++ b/flake.nix
@@ -152,11 +152,6 @@
 
                 syncthing-key.file = ./secrets/mtworx/syncthing/key.pem.age;
                 syncthing-cert.file = ./secrets/mtworx/syncthing/cert.pem.age;
-
-                ssh8022 = {
-                  file = ./secrets/ssh8022.age;
-                  owner = "motiejus";
-                };
               };
             }
           ];
@@ -191,11 +186,6 @@
                 synapse-macaroon-secret-key.file = ./secrets/synapse/macaroon_secret_key.age;
                 syncthing-key.file = ./secrets/fwminex/syncthing/key.pem.age;
                 syncthing-cert.file = ./secrets/fwminex/syncthing/cert.pem.age;
-
-                ssh8022 = {
-                  file = ./secrets/ssh8022.age;
-                  owner = "motiejus";
-                };
               };
             }
           ];
@@ -222,11 +212,6 @@
 
                 syncthing-key.file = ./secrets/vno1-gdrx/syncthing/key.pem.age;
                 syncthing-cert.file = ./secrets/vno1-gdrx/syncthing/cert.pem.age;
-
-                ssh8022 = {
-                  file = ./secrets/ssh8022.age;
-                  owner = "motiejus";
-                };
               };
             }
           ];
@@ -254,11 +239,6 @@
                 sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
 
                 datapool-passphrase.file = ./secrets/vno3-rp3b/datapool-passphrase.age;
-
-                ssh8022 = {
-                  file = ./secrets/ssh8022.age;
-                  owner = "motiejus";
-                };
               };
             }
           ];
@@ -284,10 +264,6 @@
                 root-passwd-hash.file = ./secrets/root_passwd_hash.age;
                 sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
 
-                ssh8022 = {
-                  file = ./secrets/ssh8022.age;
-                  owner = "motiejus";
-                };
               };
             }
           ];
diff --git a/hosts/fwminex/configuration.nix b/hosts/fwminex/configuration.nix
index 5219e77..283fa22 100644
--- a/hosts/fwminex/configuration.nix
+++ b/hosts/fwminex/configuration.nix
@@ -13,6 +13,12 @@ in
     ../../modules/profiles/btrfs
   ];
 
+  age.secrets.ssh8022-server = {
+    file = ../../secrets/ssh8022.age;
+    owner = "spiped";
+    path = "/var/lib/spiped/ssh8022.key";
+  };
+
   boot = {
     kernelModules = [ "kvm-intel" ];
     loader.systemd-boot.enable = true;
@@ -364,10 +370,13 @@ in
 
     services = {
       sshguard.enable = true;
-      ssh8022.enable = true;
       gitea.enable = true;
       hass.enable = true;
       syncthing-relay.enable = true;
+      ssh8022.server = {
+        enable = true;
+        keyfile = config.age.secrets.ssh8022-server.path;
+      };
 
       vaultwarden = {
         enable = true;
diff --git a/hosts/mtworx/configuration.nix b/hosts/mtworx/configuration.nix
index ef5d224..a7e36ed 100644
--- a/hosts/mtworx/configuration.nix
+++ b/hosts/mtworx/configuration.nix
@@ -16,6 +16,11 @@ in
     ../../modules/profiles/btrfs
   ];
 
+  age.secrets.ssh8022-client = {
+    file = ../../secrets/ssh8022.age;
+    owner = "motiejus";
+  };
+
   boot = {
     kernelModules = [ "kvm-intel" ];
     loader.systemd-boot.enable = true;
@@ -81,7 +86,11 @@ in
 
     services = {
       sshguard.enable = false;
-      ssh8022.enable = true;
+      ssh8022.client = {
+        enable = true;
+        keyfile = config.age.secrets.ssh8022-client.path;
+
+      };
 
       tailscale = {
         enable = true;
diff --git a/modules/services/ssh8022/default.nix b/modules/services/ssh8022/default.nix
index 01cccc9..4f371b8 100644
--- a/modules/services/ssh8022/default.nix
+++ b/modules/services/ssh8022/default.nix
@@ -5,30 +5,48 @@
   myData,
   ...
 }:
-let
-  cfg = config.mj.services.ssh8022;
-in
 {
-  options.mj.services.ssh8022 = {
-    enable = lib.mkEnableOption "Enable ssh8022";
+  options.mj.services.ssh8022 = with lib.types; {
+    client = {
+      enable = lib.mkEnableOption "Enable ssh8022 client";
+      keyfile = lib.mkOption { type = str; };
+    };
+    server = {
+      enable = lib.mkEnableOption "Enable ssh8022 server";
+      keyfile = lib.mkOption { type = str; };
+    };
   };
 
-  config = lib.mkIf cfg.enable {
-    services.spiped = {
-      enable = true;
-      config = {
-        ssh8022 = {
-          decrypt = true;
-          source = "*:8022";
-          target = "127.0.0.1:22";
-          keyfile = config.age.secrets.ssh8022.path;
+  config = lib.mkMerge [
+    (
+      let
+        cfg = config.mj.services.ssh8022.client;
+      in
+      lib.mkIf cfg.enable {
+        programs.ssh.extraConfig = ''
+          Host dl.jakstys.lt
+          ProxyCommand ${pkgs.spiped}/bin/spipe -t %h:8022 -k ${cfg.keyfile}
+        '';
+      }
+    )
+    (
+      let
+        cfg = config.mj.services.ssh8022.server;
+      in
+      lib.mkIf cfg.enable {
+        services.spiped = {
+          enable = true;
+          config = {
+            ssh8022 = {
+              inherit (cfg) keyfile;
+              decrypt = true;
+              source = "*:8022";
+              target = "127.0.0.1:22";
+            };
+          };
         };
-      };
-    };
-    programs.ssh.extraConfig = ''
-      Host dl.jakstys.lt
-      ProxyCommand ${pkgs.spiped}/bin/spipe -t %h:8022 -k ${config.age.secrets.ssh8022.path}
-    '';
-    networking.firewall.allowedTCPPorts = [ myData.ports.ssh8022 ];
-  };
+        networking.firewall.allowedTCPPorts = [ myData.ports.ssh8022 ];
+      }
+    )
+  ];
 }