updated assertions

2024-02-28 07:18:12 +01:00
parent 4dc515d395
commit 7da46a110d
9 changed files with 44 additions and 16 deletions
@@ -1,4 +1,3 @@
-# TODO: Dir creation and file permissions in nix
 {
  config,
  lib,
@@ -6,8 +5,9 @@
 }:
 with lib; let
  cfg = config.nixarr.openssh;
+  nixarr = config.nixarr;
 in {
-  options.nixarr.openssh.vpn.enable = {
+  options.nixarr.openssh.vpn.enable = mkOption {
    type = types.bool;
    default = false;
    description = ''
@@ -27,16 +27,20 @@ in {
        };

        users.extraUsers.username.openssh.authorizedKeys.keyFiles = [
-          ./path/to/public/key/machine.pub}
+          ./path/to/public/key/machine.pub
        ];
+
+        Then replace username with your username and the keyFiles path
+        to a ssh public key file from the machine that you want to have
+        access. Don't use password authentication as it is insecure!
      ```
    '';
  };

-  config = mkIf (cfg.vpn.enable && config.services.openssh.enable) {
+  config = mkIf cfg.vpn.enable {
    assertions = [
      {
-        assertion = cfg.vpn.enable && !nixarr.vpn.enable;
+        assertion = cfg.vpn.enable -> nixarr.vpn.enable;
        message = ''
          The nixarr.openssh.vpn.enable option requires the
          nixarr.vpn.enable option to be set, but it was not.
@@ -44,6 +48,29 @@ in {
      }
    ];

+    warnings = if config.services.openssh.enable then [
+      ''
+        nixarr.openssh.vpn.enable is set, but openssh is not enabled on your
+        system, so the openssh server is not running. This is probably not
+        what you wanted. You can add the following lines to enable it:
+
+        services.openssh = {
+          enable = true;
+          settings.PasswordAuthentication = false;
+          # Get this port from your VPN provider
+          ports [ 12345 ];
+        };
+
+        users.extraUsers.username.openssh.authorizedKeys.keyFiles = [
+          ./path/to/public/key/machine.pub
+        ];
+
+        Then replace username with your username and the keyFiles path
+        to a ssh public key file from the machine that you want to have
+        access. Don't use password authentication as it is insecure!
+      ''
+    ] else [];
+
    util-nixarr.vpnnamespace = {
      portMappings = builtins.map (x: { From = x; To = x; }) config.services.openssh.ports;
      openUdpPorts = config.services.openssh.ports;