feat: support for some system configuration

includes:
- hostname
- root-auth (hashedPasswd & ssh-keys)
- root-login over ssh policy
- netconf port

junos/default.nix

@@ -1,5 +1,4 @@
 {
-  name,
   lib,
   config,
   ...
@@ -22,6 +21,7 @@ in
     ./interfaces.nix
     ./vlans.nix
     ./poe.nix
+    ./system.nix
   ];
   options = {
     netconf.xmls.configuration = mkOption {
@@ -58,6 +58,7 @@ in
     mapAttrs mkIntf config.netconf.mandatoryInterfaces;
   config.netconf.xmls.configuration = ''
     <configuration>
+      ${config.netconf.xmls.system}
       ${config.netconf.xmls.interfaces}
       ${config.netconf.xmls.protocols}
       ${config.netconf.xmls.vlans}

junos/system.nix

@@ -0,0 +1,72 @@
+{ lib, config, ... }:
+with lib;
+{
+  options = {
+    system = {
+      host-name = mkOption {
+        type = types.str;
+        description = "The hostname of the switch.";
+      };
+      root-authentication = {
+        hashedPasswd = mkOption {
+          type = types.str;
+          description = "Hashed password for root.";
+        };
+        ssh-keys = mkOption {
+          type = types.listOf types.str;
+          description = "ssh keys for root user.";
+          default = [ ];
+        };
+      };
+      services = {
+        ssh.root-login = mkOption {
+          type = types.enum [
+            "allow"
+            "deny"
+            "deny-password"
+          ];
+          description = "Login policy to use for root.";
+        };
+        netconf.port = mkOption {
+          type = types.port;
+          description = "Port to use for netconf.";
+          default = 830;
+        };
+      };
+    };
+    netconf.xmls.system = mkOption {
+      type = types.str;
+      visible = false;
+      readOnly = true;
+    };
+  };
+  config.netconf.xmls.system =
+    let
+      ssh-keys1 = map (splitString " ") config.system.root-authentication.ssh-keys;
+      ssh-keys2 = map (key: if length key < 3 then key ++ [ "foo@bar" ] else key) ssh-keys1;
+      ssh-keys = map (concatStringsSep " ") ssh-keys2;
+      edsca = map (key: "<ssh-edsca><name>${key}</name></ssh-edsca>") (
+        filter (hasPrefix "ssh-edsca ") ssh-keys
+      );
+      rsa = map (key: "<ssh-rsa><name>${key}</name></ssh-rsa>") (filter (hasPrefix "ssh-rsa ") ssh-keys);
+      ed25519 = map (key: "<ssh-ed25519><name>${key}</name></ssh-ed25519>") (
+        filter (hasPrefix "ssh-ed25519 ") ssh-keys
+      );
+    in
+    ''
+      <system>
+        <host-name operation="replace">${config.system.host-name}</host-name>
+        <root-authentication operation="replace">
+          <encrypted-password>${config.system.root-authentication.hashedPasswd}</encrypted-password>
+          ${concatStrings (edsca ++ rsa ++ ed25519)}
+        </root-authentication>
+        <services operation="replace">
+          <ssh><root-login>${config.system.services.ssh.root-login}</root-login></ssh>
+          <netconf>
+            <ssh><port>${toString config.system.services.netconf.port}</port></ssh>
+            <rfc-compliant/><yang-compliant/>
+          </netconf>
+        </services>
+      </system>
+    '';
+}

netconf-hive.nix

@@ -33,12 +33,29 @@ let
       vlans = [ "ap-staging" ];
     };
   };
+  default =
+    { name, ... }:
+    {
+      vlans = vlansPlan;
+      system = {
+        host-name = name;
+        services.ssh.root-login = "deny-password";
+        root-authentication = {
+          hashedPasswd = "$6$BKetIIfT$JVyE0B7F4O.fJwQFu5jVrVExAZROrEMLW5HkDkhjMShJ9cRIgxSm2VM9OThDowsnLmAewqDN7eAY.EQt4UR4U0";
+          ssh-keys = [
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
+          ];
+        };
+      };
+    };
 in
 {
   netcore02 = {
     deployment.targetHost = "netcore02.dgn";
-    imports = [ ./ex2300.nix ];
+    imports = [
-    vlans = vlansPlan;
+      ./ex2300.nix
+      default
+    ];
     dgn-interfaces = {
       # "ge-0/0/0" = AP-staging;
       # "ge-0/0/1" = AP-staging;
@@ -120,8 +137,10 @@ in
   netaccess01 = {
     deployment.targetHost = "netaccess01.dgn";
 
-    imports = [ ./ex2300.nix ];
+    imports = [
-    vlans = vlansPlan;
+      ./ex2300.nix
+      default
+    ];
 
     dgn-interfaces = {
       # "ge-0/0/0" = AP-staging;