From cac845feb65517cf170d33ceee81372845f50fac Mon Sep 17 00:00:00 2001
From: Ethel Morgan <eth@ethulhu.co.uk>
Date: Wed, 27 May 2020 11:34:56 +0100
Subject: extract my preferred SSH setup to eth.services.ssh

---
 module-list.nix          |  1 +
 modules/services/ssh.nix | 29 +++++++++++++++++++++++++++++
 2 files changed, 30 insertions(+)
 create mode 100644 modules/services/ssh.nix

diff --git a/module-list.nix b/module-list.nix
index e9c48ec..e152021 100644
--- a/module-list.nix
+++ b/module-list.nix
@@ -7,6 +7,7 @@
   ./modules/services/helix-player.nix
   ./modules/services/mosquitto.nix
   ./modules/services/snapclient.nix
+  ./modules/services/ssh.nix
   ./modules/services/upmpdcli.nix
   ./modules/users.nix
   ./modules/yubikey.nix
diff --git a/modules/services/ssh.nix b/modules/services/ssh.nix
new file mode 100644
index 0000000..d965472
--- /dev/null
+++ b/modules/services/ssh.nix
@@ -0,0 +1,29 @@
+{ config, lib, pkgs, ... }:
+with lib;
+
+let
+  cfg = config.eth.services.ssh;
+
+in {
+  options.eth.services.ssh = {
+    enable = mkEnableOption "Whether to enable SSHd with Eth's defaults.";
+
+    passwordAuthentication = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Whether to allow password authentication. Occasionally useful, used sparingly.";
+    };
+  };
+
+  config = mkIf cfg.enable {
+
+    security.pam.enableSSHAgentAuth = true;
+    security.pam.services.sudo.sshAgentAuth = true;
+
+    services.openssh = {
+      enable = true;
+      permitRootLogin = "no";
+      passwordAuthentication = cfg.passwordAuthentication;
+    };
+  };
+}
-- 
cgit v1.2.3