mirrors/nix-darwin
1
0
Fork 0
mirror of https://github.com/LnL7/nix-darwin.git synced 2024-12-14 11:57:34 +00:00
Code Activity

ssh: add extraOptions and other nixpkgs ssh module options

Browse source
This commit is contained in:
Finn Behrens 2023-11-07 17:10:35 +01:00 committed by Finn Behrens
parent 33bf7df5bb
commit 672f3afa81
1 changed files with 106 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

107
modules/programs/ssh/default.nix
View file

@ -106,7 +106,7 @@ in
type = with types; attrsOf (submodule userOptions);
};
programs.ssh.knownHosts = mkOption {
/*programs.ssh.knownHosts = mkOption {
default = {};
type = types.attrsOf (types.submodule host);
description = ''
@ -124,6 +124,99 @@ in
}
]
'';
};*/
/*services.openssh.authorizedKeysFiles = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Specify the rules for which files to read on the host.
This is an advanced option. If you're looking to configure user
keys, you can generally use [](#opt-users.users._name_.openssh.authorizedKeys.keys)
or [](#opt-users.users._name_.openssh.authorizedKeys.keyFiles).
These are paths relative to the host root file system or home
directories and they are subject to certain token expansion rules.
See AuthorizedKeysFile in man sshd_config for details.
'';
};*/
programs.ssh = {
knownHosts = mkOption {
default = {};
type = types.attrsOf (types.submodule host);
description = lib.mdDoc ''
The set of system-wide known SSH hosts.
'';
example = literalExpression ''
[
{
hostNames = [ "myhost" "myhost.mydomain.com" "10.10.1.4" ];
publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub;
}
{
hostNames = [ "myhost2" ];
publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub;
}
]
'';
};
pubkeyAcceptedKeyTypes = mkOption {
type = types.listOf types.str;
default = [];
example = [ "ssh-ed25519" "ssh-rsa" ];
description = lib.mdDoc ''
Specifies the key types that will be used for public key authentication.
'';
};
hostKeyAlgorithms = mkOption {
type = types.listOf types.str;
default = [];
example = [ "ssh-ed25519" "ssh-rsa" ];
description = lib.mdDoc ''
Specifies the host key algorithms that the client wants to use in order of preference.
'';
};
extraConfig = mkOption {
type = types.lines;
default = "";
description = lib.mdDoc ''
Extra configuration text written to `/etc/ssh/ssh_config.d/10-extra-nix.conf`.
See {manpage}`ssh_config(5)` for help.
'';
};
kexAlgorithms = mkOption {
type = types.nullOr (types.listOf types.str);
default = null;
example = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ];
description = lib.mdDoc ''
Specifies the available KEX (Key Exchange) algorithms.
'';
};
ciphers = mkOption {
type = types.nullOr (types.listOf types.str);
default = null;
example = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" ];
description = lib.mdDoc ''
Specifies the ciphers allowed and their order of preference.
'';
};
macs = mkOption {
type = types.nullOr (types.listOf types.str);
default = null;
example = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha1" ];
description = lib.mdDoc ''
Specifies the MAC (message authentication code) algorithms in order of preference. The MAC algorithm is used
for data integrity protection.
'';
};
};
};
@ -154,6 +247,18 @@ in
# Allows us to automatically migrate from using a file to a symlink
knownSha256Hashes = [ oldAuthorizedKeysHash ];
};
"ssh/sshd_config.d/10-extra-nix.conf" = {
text = ''
${optionalString (cfg.pubkeyAcceptedKeyTypes != []) "PubkeyAcceptedKeyTypes ${concatStringsSep "," cfg.pubkeyAcceptedKeyTypes}"}
${config.programs.ssh.extraConfig}
${optionalString (cfg.hostKeyAlgorithms != []) "HostKeyAlgorithms ${concatStringsSep "," cfg.hostKeyAlgorithms}"}
${optionalString (cfg.kexAlgorithms != null) "KexAlgorithms ${concatStringsSep "," cfg.kexAlgorithms}"}
${optionalString (cfg.ciphers != null) "Ciphers ${concatStringsSep "," cfg.ciphers}"}
${optionalString (cfg.macs != null) "MACs ${concatStringsSep "," cfg.macs}"}
'';
};
};
system.activationScripts.etc.text = ''