feat(config): Add CapabilitySshServerV1 to app config

theduke · theduke · commit 32172c32df95 · 2025-08-07T15:03:40.000+02:00
Allows configuration of the SSH server behaviour for an app.
diff --git a/lib/config/src/app/mod.rs b/lib/config/src/app/mod.rs
@@ -5,8 +5,9 @@ mod http;
 mod job;
 mod pretty_duration;
 mod snapshot_trigger;
+mod ssh;
 
-pub use self::{healthcheck::*, http::*, job::*, pretty_duration::*, snapshot_trigger::*};
+pub use self::{healthcheck::*, http::*, job::*, pretty_duration::*, snapshot_trigger::*, ssh::*};
 
 use anyhow::{bail, Context};
 use bytesize::ByteSize;
@@ -206,6 +207,8 @@ pub struct AppConfigCapabilityMapV1 {
     #[serde(skip_serializing_if = "Option::is_none")]
     pub instaboot: Option<AppConfigCapabilityInstaBootV1>,
 
+    pub ssh: Option<CapabilitySshServerV1>,
+
     /// Additional unknown capabilities.
     ///
     /// This provides a small bit of forwards compatibility for newly added
diff --git a/lib/config/src/app/ssh.rs b/lib/config/src/app/ssh.rs
@@ -0,0 +1,47 @@
+use indexmap::IndexMap;
+use schemars::JsonSchema;
+use serde::{Deserialize, Serialize};
+
+/// Configure SSH server credentials and settings.
+#[derive(Serialize, Deserialize, JsonSchema, Clone, Debug, PartialEq, Eq)]
+pub struct CapabilitySshServerV1 {
+    /// Enable an SSH server.
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub enabled: Option<bool>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub users: Option<Vec<SshUserV1>>,
+
+    /// Additional unknown fields.
+    /// This provides a small bit of forwards compatibility.
+    #[serde(flatten)]
+    pub other: IndexMap<String, serde_json::Value>,
+}
+
+#[derive(Serialize, Deserialize, JsonSchema, PartialEq, Eq, Clone, Debug)]
+pub struct SshUserV1 {
+    /// The username used for SSH login.
+    pub username: String,
+
+    /// Passwords for this user.
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub passwords: Option<Vec<PasswordV1>>,
+
+    /// SSH public keys for this user.
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub authorized_keys: Option<Vec<String>>,
+
+    /// Additional unknown fields.
+    /// This provides a small bit of forwards compatibility.
+    #[serde(flatten)]
+    pub other: IndexMap<String, serde_json::Value>,
+}
+
+#[derive(Serialize, Deserialize, JsonSchema, PartialEq, Eq, Clone, Debug)]
+#[serde(rename_all = "snake_case", tag = "type")]
+pub enum PasswordV1 {
+    /// Plain text password.
+    Plain { password: String },
+    /// Bcrypt password hash.
+    Bcrypt { hash: String },
+}
