Rebase to flake parts #6

modules/ssh/home-manager/default.nix

@@ -0,0 +1,96 @@
+{ self, ... }: {
+  flake.homeManagerModules.sshOutboundRbw = {
+    config,
+    lib,
+    pkgs,
+    ...
+  }:
+  let
+    cfg = config.chiasson.ssh.outbound.rbw;
+    inventory = self.lib.sshInventory;
+    selectedHostNames =
+      if cfg.hosts == [ "all" ] then
+        builtins.attrNames inventory.activeHosts
+      else
+        cfg.hosts;
+    missing = builtins.filter (name: !(builtins.hasAttr name inventory.hosts)) selectedHostNames;
+    selectedHosts = builtins.listToAttrs (
+      builtins.map (name: {
+        inherit name;
+        value = inventory.hosts.${name};
+      }) selectedHostNames
+    );
+    sshConfigTemplate = inventory.mkSshConfigTemplate {
+      selectedHosts = selectedHosts;
+      user = cfg.user;
+    };
+  in
+  {
+    options.chiasson.ssh.outbound.rbw = {
+      enable = lib.mkEnableOption "Generated `~/.ssh/config` + rbw agent socket.";
+      user = lib.mkOption {
+        type = lib.types.str;
+        default = config.home.username;
+        description = "`User` in generated `Host` blocks.";
+      };
+      hosts = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = [ "all" ];
+        description = "Inventory hosts to emit (or `[ \"all\" ]`).";
+      };
+      manageSshConfig = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+        description = "Write `~/.ssh/config` from the template.";
+      };
+    };
+
+    config = lib.mkIf cfg.enable (lib.mkMerge [
+      {
+        assertions = [
+          {
+            assertion = missing == [ ];
+            message = "ssh.outbound.rbw: unknown host keys: ${builtins.concatStringsSep ", " missing}";
+          }
+        ];
+      }
+      {
+        home.packages = [ pkgs.rbw pkgs.pinentry-qt ];
+        home.sessionVariables.SSH_AUTH_SOCK = "$XDG_RUNTIME_DIR/rbw/ssh-agent-socket";
+        home.file = inventory.mkIdentityFiles selectedHosts;
+
+        programs.ssh.enable = lib.mkIf cfg.manageSshConfig false;
+        home.activation.rbwSshConfig = lib.mkIf cfg.manageSshConfig (lib.hm.dag.entryAfter [ "writeBoundary" ] ''
+          mkdir -p "$HOME/.ssh"
+          chmod 700 "$HOME/.ssh"
+          RBW_SSH_SOCK="/run/user/$(id -u)/rbw/ssh-agent-socket"
+          cat > "$HOME/.ssh/config" <<'EOF'
+${sshConfigTemplate}
+EOF
+          sed -i "s|__RBW_SSH_SOCK__|$RBW_SSH_SOCK|g" "$HOME/.ssh/config"
+          chmod 600 "$HOME/.ssh/config"
+        '');
+
+        systemd.user.services.rbw-agent-bootstrap = {
+          Unit = {
+            Description = "Bootstrap rbw SSH agent";
+            PartOf = [ "graphical-session.target" ];
+            After = [ "graphical-session.target" ];
+          };
+          Service = {
+            Type = "oneshot";
+            ExecStart = "${pkgs.bash}/bin/bash -lc '${pkgs.rbw}/bin/rbw unlocked >/dev/null 2>&1 || true'";
+            RemainAfterExit = true;
+          };
+          Install = {
+            WantedBy = [ "graphical-session.target" ];
+          };
+        };
+
+        home.activation.rbwPinentryConfig = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
+          ${pkgs.rbw}/bin/rbw config set pinentry "${pkgs.pinentry-qt}/bin/pinentry-qt" >/dev/null 2>&1 || true
+        '';
+      }
+    ]);
+  };
+}