nixos/tmate-ssh-server: init module (#192270) (396f4f05) · Commits · nix / nixpkgs

nixos/doc/manual/from_md/release-notes/rl-2211.section.xml

+9 −0

Original line number	Diff line number	Diff line
		@@ -320,6 +320,15 @@
		<link linkend="opt-services.go-autoconfig.enable">services.go-autoconfig</link>.
		</para>
		</listitem>
		<listitem>
		<para>
		<link xlink:href="https://github.com/tmate-io/tmate-ssh-server">tmate-ssh-server</link>,
		server side part of
		<link xlink:href="https://tmate.io/">tmate</link>. Available
		as
		<link linkend="opt-services.tmate-ssh-server.enable">services.tmate-ssh-server</link>.
		</para>
		</listitem>
		<listitem>
		<para>
		<link xlink:href="https://www.grafana.com/oss/tempo/">Grafana

nixos/doc/manual/release-notes/rl-2211.section.md

+2 −0

Original line number	Diff line number	Diff line
		@@ -110,6 +110,8 @@ In addition to numerous new and upgraded packages, this release has the followin

		- [go-autoconfig](https://github.com/L11R/go-autoconfig), IMAP/SMTP autodiscover server. Available as [services.go-autoconfig](#opt-services.go-autoconfig.enable).

		- [tmate-ssh-server](https://github.com/tmate-io/tmate-ssh-server), server side part of [tmate](https://tmate.io/). Available as [services.tmate-ssh-server](#opt-services.tmate-ssh-server.enable).

		- [Grafana Tempo](https://www.grafana.com/oss/tempo/), a distributed tracing store. Available as [services.tempo](#opt-services.tempo.enable).

		- [AusweisApp2](https://www.ausweisapp.bund.de/), the authentication software for the German ID card. Available as [programs.ausweisapp](#opt-programs.ausweisapp.enable).

nixos/modules/module-list.nix

+1 −0

Original line number	Diff line number	Diff line
		@@ -960,6 +960,7 @@
		./services/networking/tinc.nix
		./services/networking/tinydns.nix
		./services/networking/tftpd.nix
		./services/networking/tmate-ssh-server.nix
		./services/networking/trickster.nix
		./services/networking/tox-bootstrapd.nix
		./services/networking/tox-node.nix

nixos/modules/services/networking/tmate-ssh-server.nix

0 → 100644

+122 −0

Original line number	Diff line number	Diff line
		{ config, lib, pkgs, ... }:
		with lib;
		let
		cfg = config.services.tmate-ssh-server;

		defaultKeysDir = "/etc/tmate-ssh-server-keys";
		edKey = "${defaultKeysDir}/ssh_host_ed25519_key";
		rsaKey = "${defaultKeysDir}/ssh_host_rsa_key";

		keysDir =
		if cfg.keysDir == null
		then defaultKeysDir
		else cfg.keysDir;

		domain = config.networking.domain;
		in
		{
		options.services.tmate-ssh-server = {
		enable = mkEnableOption (mdDoc "tmate ssh server");

		package = mkOption {
		type = types.package;
		description = mdDoc "The package containing tmate-ssh-server";
		defaultText = literalExpression "pkgs.tmate-ssh-server";
		default = pkgs.tmate-ssh-server;
		};

		host = mkOption {
		type = types.str;
		description = mdDoc "External host name";
		defaultText = lib.literalExpression "config.networking.domain or config.networking.hostName ";
		default =
		if domain == null then
		config.networking.hostName
		else
		domain;
		};

		port = mkOption {
		type = types.port;
		description = mdDoc "Listen port for the ssh server";
		default = 2222;
		};

		openFirewall = mkOption {
		type = types.bool;
		default = true;
		description = mdDoc "Whether to automatically open the specified ports in the firewall.";
		};

		advertisedPort = mkOption {
		type = types.port;
		description = mdDoc "External port advertised to clients";
		};

		keysDir = mkOption {
		type = with types; nullOr str;
		description = mdDoc "Directory containing ssh keys, defaulting to auto-generation";
		default = null;
		};
		};

		config = mkIf cfg.enable {

		networking.firewall.allowedTCPPorts = optionals cfg.openFirewall [ cfg.port ];

		services.tmate-ssh-server = {
		advertisedPort = mkDefault cfg.port;
		};

		environment.systemPackages =
		let
		tmate-config = pkgs.writeText "tmate.conf"
		''
		set -g tmate-server-host "${cfg.host}"
		set -g tmate-server-port ${toString cfg.port}
		set -g tmate-server-ed25519-fingerprint "@ed25519_fingerprint@"
		set -g tmate-server-rsa-fingerprint "@rsa_fingerprint@"
		'';
		in
		[
		(pkgs.writeShellApplication {
		name = "tmate-client-config";
		runtimeInputs = with pkgs;[ openssh coreutils sd ];
		text = ''
		RSA_SIG="$(ssh-keygen -l -E SHA256 -f "${keysDir}/ssh_host_rsa_key.pub" \| cut -d ' ' -f 2)"
		ED25519_SIG="$(ssh-keygen -l -E SHA256 -f "${keysDir}/ssh_host_ed25519_key.pub" \| cut -d ' ' -f 2)"
		sd -sp '@ed25519_fingerprint@' "$ED25519_SIG" ${tmate-config} \| \
		sd -sp '@rsa_fingerprint@' "$RSA_SIG"
		'';
		})
		];

		systemd.services.tmate-ssh-server = {
		description = "tmate SSH Server";
		after = [ "network.target" ];
		wantedBy = [ "multi-user.target" ];
		serviceConfig = {
		ExecStart = "${cfg.package}/bin/tmate-ssh-server -h ${cfg.host} -p ${toString cfg.port} -q ${toString cfg.advertisedPort} -k ${keysDir}";
		};
		preStart = mkIf (cfg.keysDir == null) ''
		if [[ ! -d ${defaultKeysDir} ]]
		then
		mkdir -p ${defaultKeysDir}
		fi
		if [[ ! -f ${edKey} ]]
		then
		${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f ${edKey} -N ""
		fi
		if [[ ! -f ${rsaKey} ]]
		then
		${pkgs.openssh}/bin/ssh-keygen -t rsa -f ${rsaKey} -N ""
		fi
		'';
		};
		};

		meta = {
		maintainers = with maintainers; [ jlesquembre ];
		};

		}

nixos/tests/all-tests.nix

+1 −0

Original line number	Diff line number	Diff line
		@@ -626,6 +626,7 @@ in {
		tinc = handleTest ./tinc {};
		tinydns = handleTest ./tinydns.nix {};
		tinywl = handleTest ./tinywl.nix {};
		tmate-ssh-server = handleTest ./tmate-ssh-server.nix { };
		tomcat = handleTest ./tomcat.nix {};
		tor = handleTest ./tor.nix {};
		# traefik test relies on docker-containers

Admin message