implement a dropbear SSH module

hosts/common/ssh.nix

@@ -32,4 +32,14 @@ in
     visibleTo.lan = true;
     description = lib.mkDefault "colin-ssh";
   };
+
+  # sane.services.dropbear = {
+  #   enable = true;
+  #   port = 1022;
+  # };
+  # sane.ports.ports."1022" = {
+  #   protocol = [ "tcp" ];
+  #   visibleTo.lan = true;
+  #   description = lib.mkDefault "colin-dropbear-ssh";
+  # };
 }

modules/services/default.nix

@@ -1,6 +1,7 @@
 { ... }:
 {
   imports = [
+    ./dropbear.nix
     ./clightning.nix
     ./dyn-dns.nix
     ./eg25-manager.nix

modules/services/dropbear.nix

@@ -0,0 +1,37 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.sane.services.dropbear;
+in
+{
+  options = {
+    sane.services.dropbear = with lib; {
+      enable = mkOption {
+        default = false;
+        type = types.bool;
+      };
+
+      package = mkOption {
+        type = types.package;
+        default = pkgs.dropbear;
+        defaultText = literalExpression "pkgs.dropbear";
+      };
+
+      port = mkOption {
+        type = types.port;
+        default = 22;
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.dropbear = {
+      description = "Dropbear SSH Server";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig.Type = "simple";
+      # N.B.: dropbear ssh key format is incompatible with OpenSSH's.
+      # also, needs to be manually generated on first run (`dropbearkey -t rsa -f /etc/ssh/host_keys/dropbear_rsa_host_key -s 4096`)
+      serviceConfig.ExecStart = "${cfg.package}/bin/dropbear -F -p ${builtins.toString cfg.port} -r /etc/ssh/host_keys/dropbear_rsa_host_key -r /etc/ssh/host_keys/dropbear_ed25519_host_key";
+    };
+  };
+}