{ lib, config, ... }: let inherit (lib) mkOption splitString length hasPrefix filter concatStringsSep ; inherit (lib.types) str listOf enum port ; in { options = { system = { host-name = mkOption { type = str; description = "The hostname of the switch."; }; root-authentication = { hashedPasswd = mkOption { type = str; description = "Hashed password for root."; }; ssh-keys = mkOption { type = listOf str; description = "ssh keys for root user."; default = [ ]; }; }; services = { ssh.root-login = mkOption { type = enum [ "allow" "deny" "deny-password" ]; description = "Login policy to use for root."; }; netconf.port = mkOption { type = port; description = "Port to use for netconf."; default = 830; }; }; }; }; config.netconf.xml.system = let ssh-keys1 = map (splitString " ") config.system.root-authentication.ssh-keys; ssh-keys2 = map (key: if length key < 3 then key ++ [ "foo@bar" ] else key) ssh-keys1; ssh-keys = map (concatStringsSep " ") ssh-keys2; ssh-edsca = map (name: { inherit name; }) (filter (hasPrefix "ssh-edsca ") ssh-keys); ssh-rsa = map (name: { inherit name; }) (filter (hasPrefix "ssh-rsa ") ssh-keys); ssh-ed25519 = map (name: { inherit name; }) (filter (hasPrefix "ssh-ed25519 ") ssh-keys); in { host-name = { "@operation" = "replace"; "#text" = config.system.host-name; }; root-authentication = { "@operation" = "replace"; encrypted-password = config.system.root-authentication.hashedPasswd; inherit ssh-edsca ssh-rsa ssh-ed25519; }; services = { "@operation" = "replace"; ssh.root-login = config.system.services.ssh.root-login; netconf = { ssh.port = config.system.services.netconf.port; rfc-compliant = {}; yang-compliant = {}; }; }; }; }