ssh: add extraConfig

LnL7 · Jan 30, 2024 · eb70090 · eb70090
1 parent 91b9daf
commit eb70090
Showing 1 changed file with 45 additions and 18 deletions.
diff --git a/modules/programs/ssh/default.nix b/modules/programs/ssh/default.nix
@@ -119,24 +119,44 @@ in
       '';
     };
 
-    programs.ssh.knownHosts = mkOption {
-      default = {};
-      type = types.attrsOf (types.submodule host);
-      description = lib.mdDoc ''
-        The set of system-wide known SSH hosts.
-      '';
-      example = literalExpression ''
-        [
-          {
-            hostNames = [ "myhost" "myhost.mydomain.com" "10.10.1.4" ];
-            publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub;
-          }
-          {
-            hostNames = [ "myhost2" ];
-            publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub;
-          }
-        ]
-      '';
+    programs.ssh = {
+      knownHosts = mkOption {
+        default = {};
+        type = types.attrsOf (types.submodule host);
+        description = lib.mdDoc ''
+          The set of system-wide known SSH hosts.
+        '';
+        example = literalExpression ''
+          [
+            {
+              hostNames = [ "myhost" "myhost.mydomain.com" "10.10.1.4" ];
+              publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub;
+            }
+            {
+              hostNames = [ "myhost2" ];
+              publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub;
+            }
+          ]
+        '';
+      };
+
+      pubkeyAcceptedKeyTypes = mkOption {
+        type = types.listOf types.str;
+        default = [];
+        example = [ "ssh-ed25519" "ssh-rsa" ];
+        description = lib.mdDoc ''
+          Specifies the key types that will be used for public key authentication.
+        '';
+      };
+
+      extraConfig = mkOption {
+        type = types.lines;
+        default = "";
+        description = lib.mdDoc ''
+          Extra configuration text written to `/etc/ssh/ssh_config.d/10-extra-nix.conf`.
+          See {manpage}`ssh_config(5)` for help.
+        '';
+      };
     };
   };
 
@@ -163,6 +183,13 @@ in
           # Allows us to automatically migrate from using a file to a symlink
           knownSha256Hashes = [ oldAuthorizedKeysHash ];
         };
+        "ssh/sshd_config.d/10-extra-nix.conf" = {
+          text = ''
+            ${optionalString (cfg.pubkeyAcceptedKeyTypes != []) "PubkeyAcceptedKeyTypes ${concatStringsSep "," cfg.pubkeyAcceptedKeyTypes}"}
+
+            ${config.programs.ssh.extraConfig}
+          '';
+        };
       };
 
     # Clean up .before-nix-darwin file left over from using knownSha256Hashes