Add options to manage OpenSSH server

[hgl]

It seems services.openssh is not supported in nix-darwin. Since running an openssh server seems to be a common feature, I wonder if it's supported in other ways or is blocked because of some darwin limitation?

[andrewcrook]

Should be doable. I think there are several points in MacOS that would need to be addressed

1. MacOS doesn’t use OpenSSL it uses LibreSSL with its SSH server
2. MacOS has a service under system settings -> general -> sharing -> remote login this is OpenSSH using LibreSSL iirc
3. Some users will want use OpenSSL and OpenSSH from HomeBrew or other sources.

So I think Nix-Darwin would need a feature to select which sshd to use when using services.openssh The configuration for MacOS might be a little different in terms of structure and layout than OpenSSH's defaults.

[emilazy]

We could probably just use the Nixpkgs openssh package and mimic the NixOS module as closely as possible. I'm not sure if Apple's patched OpenSSH has much that's relevant on the daemon side (though I could be wrong here).

[Enzime]

We could add the option services.openssh.enable and make it run the following on activation:

if [[ "$(systemsetup -getremotelogin | sed 's/Remote Login: //')" == "Off" ]]; then
  launchctl load -w /System/Library/LaunchDaemons/ssh.plist
fi

[jsoo1]

We started this a long time ago. I can start upstreaming some of it I think.

[jsoo1]

We don't have very complete parity with nixpkgs, though.

[jsoo1]

Err, actually nevermind. I don't have the bandwidth to do it. But it is not too bad, Apple provides the /etc/ssh/sshd_config.d directory for third-party extensions which we can use to write configs and avoid getting clobbered on system upgrades.