Skip to content

Commit

Permalink
ssh: add extraOptions and other nixpkgs ssh module options
Browse files Browse the repository at this point in the history
  • Loading branch information
@kloenk
kloenk committed Jul 21, 2024
1 parent 33bf7df commit 672f3af
Showing 1 changed file with 106 additions and 1 deletion.
107 changes: 106 additions & 1 deletion modules/programs/ssh/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@ in
type = with types; attrsOf (submodule userOptions);
};

programs.ssh.knownHosts = mkOption {
/*programs.ssh.knownHosts = mkOption {
default = {};
type = types.attrsOf (types.submodule host);
description = ''
Expand All @@ -124,6 +124,99 @@ in
}
]
'';
};*/
/*services.openssh.authorizedKeysFiles = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Specify the rules for which files to read on the host.
This is an advanced option. If you're looking to configure user
keys, you can generally use [](#opt-users.users._name_.openssh.authorizedKeys.keys)
or [](#opt-users.users._name_.openssh.authorizedKeys.keyFiles).
These are paths relative to the host root file system or home
directories and they are subject to certain token expansion rules.
See AuthorizedKeysFile in man sshd_config for details.
'';
};*/

programs.ssh = {
knownHosts = mkOption {
default = {};
type = types.attrsOf (types.submodule host);
description = lib.mdDoc ''
The set of system-wide known SSH hosts.
'';
example = literalExpression ''
[
{
hostNames = [ "myhost" "myhost.mydomain.com" "10.10.1.4" ];
publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub;
}
{
hostNames = [ "myhost2" ];
publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub;
}
]
'';
};

pubkeyAcceptedKeyTypes = mkOption {
type = types.listOf types.str;
default = [];
example = [ "ssh-ed25519" "ssh-rsa" ];
description = lib.mdDoc ''
Specifies the key types that will be used for public key authentication.
'';
};

hostKeyAlgorithms = mkOption {
type = types.listOf types.str;
default = [];
example = [ "ssh-ed25519" "ssh-rsa" ];
description = lib.mdDoc ''
Specifies the host key algorithms that the client wants to use in order of preference.
'';
};


extraConfig = mkOption {
type = types.lines;
default = "";
description = lib.mdDoc ''
Extra configuration text written to `/etc/ssh/ssh_config.d/10-extra-nix.conf`.
See {manpage}`ssh_config(5)` for help.
'';
};

kexAlgorithms = mkOption {
type = types.nullOr (types.listOf types.str);
default = null;
example = [ "[email protected]" "diffie-hellman-group-exchange-sha256" ];
description = lib.mdDoc ''
Specifies the available KEX (Key Exchange) algorithms.
'';
};

ciphers = mkOption {
type = types.nullOr (types.listOf types.str);
default = null;
example = [ "[email protected]" "[email protected]" ];
description = lib.mdDoc ''
Specifies the ciphers allowed and their order of preference.
'';
};

macs = mkOption {
type = types.nullOr (types.listOf types.str);
default = null;
example = [ "[email protected]" "hmac-sha1" ];
description = lib.mdDoc ''
Specifies the MAC (message authentication code) algorithms in order of preference. The MAC algorithm is used
for data integrity protection.
'';
};
};
};

Expand Down Expand Up @@ -154,6 +247,18 @@ in
# Allows us to automatically migrate from using a file to a symlink
knownSha256Hashes = [ oldAuthorizedKeysHash ];
};
"ssh/sshd_config.d/10-extra-nix.conf" = {
text = ''
${optionalString (cfg.pubkeyAcceptedKeyTypes != []) "PubkeyAcceptedKeyTypes ${concatStringsSep "," cfg.pubkeyAcceptedKeyTypes}"}
${config.programs.ssh.extraConfig}
${optionalString (cfg.hostKeyAlgorithms != []) "HostKeyAlgorithms ${concatStringsSep "," cfg.hostKeyAlgorithms}"}
${optionalString (cfg.kexAlgorithms != null) "KexAlgorithms ${concatStringsSep "," cfg.kexAlgorithms}"}
${optionalString (cfg.ciphers != null) "Ciphers ${concatStringsSep "," cfg.ciphers}"}
${optionalString (cfg.macs != null) "MACs ${concatStringsSep "," cfg.macs}"}
'';
};
};

system.activationScripts.etc.text = ''
Expand Down

0 comments on commit 672f3af

Please sign in to comment.