ssh: block sleep while conntections acive

2026-05-03 17:11:13 +02:00 · 2026-05-03 17:11:13 +02:00 · a2494f5213
commit a2494f5213
parent d75e91b7bc
1 changed files with 37 additions and 1 deletions
--- a/nixosModules/openssh.nix
+++ b/nixosModules/openssh.nix
@ -1,4 +1,10 @@
-{ lib, config, ... }:
+{
+  lib,
+  config,
+  pkgs,
+  thisDevice,
+  ...
+}:
 {
  options.my.openssh.enable = lib.mkEnableOption "OpenSSH server";

@ -12,5 +18,35 @@
        KbdInteractiveAuthentication = false;
      };
    };
+
+    # On desktops, hold a systemd sleep inhibitor while SSH connections are active
+    security.pam.services.sshd.rules.session.ssh-inhibit = lib.mkIf (thisDevice.isDesktop or false) {
+      order = 10000;
+      control = "optional";
+      modulePath = "${pkgs.pam}/lib/security/pam_exec.so";
+      args = [
+        "quiet"
+        "${pkgs.writeShellScript "ssh-inhibit-pam" ''
+          PIDFILE="/run/ssh-inhibitor-''${PPID}.pid"
+          case "''${PAM_TYPE:-}" in
+            open)
+              ${pkgs.systemd}/bin/systemd-inhibit \
+                --what=sleep \
+                --who=sshd \
+                --why="SSH session active" \
+                --mode=block \
+                sleep infinity &
+              echo $! > "$PIDFILE"
+              ;;
+            close)
+              if [ -f "$PIDFILE" ]; then
+                kill "$(cat "$PIDFILE")" 2>/dev/null || true
+                rm -f "$PIDFILE"
+              fi
+              ;;
+          esac
+        ''}"
+      ];
+    };
  };
 }