diff --git a/modules/programs/ssh/default.nix b/modules/programs/ssh/default.nix index 6f72369a..220611e3 100644 --- a/modules/programs/ssh/default.nix +++ b/modules/programs/ssh/default.nix @@ -106,7 +106,7 @@ in type = with types; attrsOf (submodule userOptions); }; - programs.ssh.knownHosts = mkOption { + /*programs.ssh.knownHosts = mkOption { default = {}; type = types.attrsOf (types.submodule host); description = '' @@ -124,6 +124,99 @@ in } ] ''; + };*/ + /*services.openssh.authorizedKeysFiles = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Specify the rules for which files to read on the host. + + This is an advanced option. If you're looking to configure user + keys, you can generally use [](#opt-users.users._name_.openssh.authorizedKeys.keys) + or [](#opt-users.users._name_.openssh.authorizedKeys.keyFiles). + + These are paths relative to the host root file system or home + directories and they are subject to certain token expansion rules. + See AuthorizedKeysFile in man sshd_config for details. + ''; + };*/ + + programs.ssh = { + knownHosts = mkOption { + default = {}; + type = types.attrsOf (types.submodule host); + description = lib.mdDoc '' + The set of system-wide known SSH hosts. + ''; + example = literalExpression '' + [ + { + hostNames = [ "myhost" "myhost.mydomain.com" "10.10.1.4" ]; + publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub; + } + { + hostNames = [ "myhost2" ]; + publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub; + } + ] + ''; + }; + + pubkeyAcceptedKeyTypes = mkOption { + type = types.listOf types.str; + default = []; + example = [ "ssh-ed25519" "ssh-rsa" ]; + description = lib.mdDoc '' + Specifies the key types that will be used for public key authentication. + ''; + }; + + hostKeyAlgorithms = mkOption { + type = types.listOf types.str; + default = []; + example = [ "ssh-ed25519" "ssh-rsa" ]; + description = lib.mdDoc '' + Specifies the host key algorithms that the client wants to use in order of preference. + ''; + }; + + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = lib.mdDoc '' + Extra configuration text written to `/etc/ssh/ssh_config.d/10-extra-nix.conf`. + See {manpage}`ssh_config(5)` for help. + ''; + }; + + kexAlgorithms = mkOption { + type = types.nullOr (types.listOf types.str); + default = null; + example = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ]; + description = lib.mdDoc '' + Specifies the available KEX (Key Exchange) algorithms. + ''; + }; + + ciphers = mkOption { + type = types.nullOr (types.listOf types.str); + default = null; + example = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" ]; + description = lib.mdDoc '' + Specifies the ciphers allowed and their order of preference. + ''; + }; + + macs = mkOption { + type = types.nullOr (types.listOf types.str); + default = null; + example = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha1" ]; + description = lib.mdDoc '' + Specifies the MAC (message authentication code) algorithms in order of preference. The MAC algorithm is used + for data integrity protection. + ''; + }; }; }; @@ -154,6 +247,18 @@ in # Allows us to automatically migrate from using a file to a symlink knownSha256Hashes = [ oldAuthorizedKeysHash ]; }; + "ssh/sshd_config.d/10-extra-nix.conf" = { + text = '' + ${optionalString (cfg.pubkeyAcceptedKeyTypes != []) "PubkeyAcceptedKeyTypes ${concatStringsSep "," cfg.pubkeyAcceptedKeyTypes}"} + + ${config.programs.ssh.extraConfig} + + ${optionalString (cfg.hostKeyAlgorithms != []) "HostKeyAlgorithms ${concatStringsSep "," cfg.hostKeyAlgorithms}"} + ${optionalString (cfg.kexAlgorithms != null) "KexAlgorithms ${concatStringsSep "," cfg.kexAlgorithms}"} + ${optionalString (cfg.ciphers != null) "Ciphers ${concatStringsSep "," cfg.ciphers}"} + ${optionalString (cfg.macs != null) "MACs ${concatStringsSep "," cfg.macs}"} + ''; + }; }; system.activationScripts.etc.text = ''