Loading nixos/modules/programs/ssh.nix +25 −25 Original line number Diff line number Diff line Loading @@ -339,37 +339,37 @@ in # SSH configuration. Slight duplication of the sshd_config # generation in the sshd service. environment.etc."ssh/ssh_config".text = '' environment.etc."ssh/ssh_config".text = lib.concatStringsSep "\n" ( # Custom options from `extraConfig`, to override generated options ${cfg.extraConfig} lib.optional (cfg.extraConfig != "") cfg.extraConfig ++ [ '' # Generated options from other settings Host * ${lib.optionalString cfg.systemd-ssh-proxy.enable '' '' ] ++ lib.optional cfg.systemd-ssh-proxy.enable '' # See systemd-ssh-proxy(1) Include ${config.systemd.package}/lib/systemd/ssh_config.d/20-systemd-ssh-proxy.conf ''} GlobalKnownHostsFile ${builtins.concatStringsSep " " knownHostsFiles} ${lib.optionalString (!config.networking.enableIPv6) "AddressFamily inet"} ${lib.optionalString cfg.setXAuthLocation "XAuthLocation ${pkgs.xorg.xauth}/bin/xauth"} ${lib.optionalString (cfg.forwardX11 != null) "ForwardX11 ${if cfg.forwardX11 then "yes" else "no"}" } ${lib.optionalString ( '' ++ [ "GlobalKnownHostsFile ${builtins.concatStringsSep " " knownHostsFiles}" ] ++ lib.optional (!config.networking.enableIPv6) "AddressFamily inet" ++ lib.optional cfg.setXAuthLocation "XAuthLocation ${pkgs.xorg.xauth}/bin/xauth" ++ lib.optional (cfg.forwardX11 != null) "ForwardX11 ${if cfg.forwardX11 then "yes" else "no"}" ++ lib.optional ( cfg.pubkeyAcceptedKeyTypes != [ ] ) "PubkeyAcceptedKeyTypes ${builtins.concatStringsSep "," cfg.pubkeyAcceptedKeyTypes}"} ${lib.optionalString ( ) "PubkeyAcceptedKeyTypes ${builtins.concatStringsSep "," cfg.pubkeyAcceptedKeyTypes}" ++ lib.optional ( cfg.hostKeyAlgorithms != [ ] ) "HostKeyAlgorithms ${builtins.concatStringsSep "," cfg.hostKeyAlgorithms}"} ${lib.optionalString ( ) "HostKeyAlgorithms ${builtins.concatStringsSep "," cfg.hostKeyAlgorithms}" ++ lib.optional ( cfg.kexAlgorithms != null ) "KexAlgorithms ${builtins.concatStringsSep "," cfg.kexAlgorithms}"} ${lib.optionalString (cfg.ciphers != null) "Ciphers ${builtins.concatStringsSep "," cfg.ciphers}"} ${lib.optionalString (cfg.macs != null) "MACs ${builtins.concatStringsSep "," cfg.macs}"} ''; ) "KexAlgorithms ${builtins.concatStringsSep "," cfg.kexAlgorithms}" ++ lib.optional (cfg.ciphers != null) "Ciphers ${builtins.concatStringsSep "," cfg.ciphers}" ++ lib.optional (cfg.macs != null) "MACs ${builtins.concatStringsSep "," cfg.macs}" ); environment.etc."ssh/ssh_known_hosts".text = knownHostsText; Loading nixos/modules/services/networking/ssh/sshd.nix +23 −32 Original line number Diff line number Diff line Loading @@ -21,7 +21,6 @@ let let # reports boolean as yes / no mkValueString = with lib; v: if lib.isInt v then toString v Loading Loading @@ -825,37 +824,29 @@ in authPrincipalsFiles != { } ) "/etc/ssh/authorized_principals.d/%u"; services.openssh.extraConfig = lib.mkOrder 0 '' Banner ${if cfg.banner == null then "none" else pkgs.writeText "ssh_banner" cfg.banner} AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"} ${lib.concatMapStrings (port: '' Port ${toString port} '') cfg.ports} ${lib.concatMapStrings ( services.openssh.extraConfig = lib.mkOrder 0 ( lib.concatStringsSep "\n" ( [ "Banner ${if cfg.banner == null then "none" else pkgs.writeText "ssh_banner" cfg.banner}" "AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}" ] ++ lib.map (port: ''Port ${toString port}'') cfg.ports ++ lib.map ( { port, addr, ... }: '' ListenAddress ${addr}${lib.optionalString (port != null) (":" + toString port)} '' ) cfg.listenAddresses} ${lib.optionalString cfgc.setXAuthLocation '' XAuthLocation ${pkgs.xorg.xauth}/bin/xauth ''} ${lib.optionalString cfg.allowSFTP '' Subsystem sftp ${cfg.sftpServerExecutable} ${lib.concatStringsSep " " cfg.sftpFlags} ''} AuthorizedKeysFile ${toString cfg.authorizedKeysFiles} ${lib.optionalString (cfg.authorizedKeysCommand != "none") '' ''ListenAddress ${addr}${lib.optionalString (port != null) (":" + toString port)}'' ) cfg.listenAddresses ++ lib.optional cfgc.setXAuthLocation "XAuthLocation ${lib.getExe pkgs.xorg.xauth}" ++ lib.optional cfg.allowSFTP ''Subsystem sftp ${cfg.sftpServerExecutable} ${lib.concatStringsSep " " cfg.sftpFlags}'' ++ [ "AuthorizedKeysFile ${toString cfg.authorizedKeysFiles}" ] ++ lib.optional (cfg.authorizedKeysCommand != "none") '' AuthorizedKeysCommand ${cfg.authorizedKeysCommand} AuthorizedKeysCommandUser ${cfg.authorizedKeysCommandUser} ''} ${lib.flip lib.concatMapStrings cfg.hostKeys (k: '' HostKey ${k.path} '')} ''; '' ++ lib.map (k: "HostKey ${k.path}") cfg.hostKeys ) ); system.checks = [ (pkgs.runCommand "check-sshd-config" Loading Loading
nixos/modules/programs/ssh.nix +25 −25 Original line number Diff line number Diff line Loading @@ -339,37 +339,37 @@ in # SSH configuration. Slight duplication of the sshd_config # generation in the sshd service. environment.etc."ssh/ssh_config".text = '' environment.etc."ssh/ssh_config".text = lib.concatStringsSep "\n" ( # Custom options from `extraConfig`, to override generated options ${cfg.extraConfig} lib.optional (cfg.extraConfig != "") cfg.extraConfig ++ [ '' # Generated options from other settings Host * ${lib.optionalString cfg.systemd-ssh-proxy.enable '' '' ] ++ lib.optional cfg.systemd-ssh-proxy.enable '' # See systemd-ssh-proxy(1) Include ${config.systemd.package}/lib/systemd/ssh_config.d/20-systemd-ssh-proxy.conf ''} GlobalKnownHostsFile ${builtins.concatStringsSep " " knownHostsFiles} ${lib.optionalString (!config.networking.enableIPv6) "AddressFamily inet"} ${lib.optionalString cfg.setXAuthLocation "XAuthLocation ${pkgs.xorg.xauth}/bin/xauth"} ${lib.optionalString (cfg.forwardX11 != null) "ForwardX11 ${if cfg.forwardX11 then "yes" else "no"}" } ${lib.optionalString ( '' ++ [ "GlobalKnownHostsFile ${builtins.concatStringsSep " " knownHostsFiles}" ] ++ lib.optional (!config.networking.enableIPv6) "AddressFamily inet" ++ lib.optional cfg.setXAuthLocation "XAuthLocation ${pkgs.xorg.xauth}/bin/xauth" ++ lib.optional (cfg.forwardX11 != null) "ForwardX11 ${if cfg.forwardX11 then "yes" else "no"}" ++ lib.optional ( cfg.pubkeyAcceptedKeyTypes != [ ] ) "PubkeyAcceptedKeyTypes ${builtins.concatStringsSep "," cfg.pubkeyAcceptedKeyTypes}"} ${lib.optionalString ( ) "PubkeyAcceptedKeyTypes ${builtins.concatStringsSep "," cfg.pubkeyAcceptedKeyTypes}" ++ lib.optional ( cfg.hostKeyAlgorithms != [ ] ) "HostKeyAlgorithms ${builtins.concatStringsSep "," cfg.hostKeyAlgorithms}"} ${lib.optionalString ( ) "HostKeyAlgorithms ${builtins.concatStringsSep "," cfg.hostKeyAlgorithms}" ++ lib.optional ( cfg.kexAlgorithms != null ) "KexAlgorithms ${builtins.concatStringsSep "," cfg.kexAlgorithms}"} ${lib.optionalString (cfg.ciphers != null) "Ciphers ${builtins.concatStringsSep "," cfg.ciphers}"} ${lib.optionalString (cfg.macs != null) "MACs ${builtins.concatStringsSep "," cfg.macs}"} ''; ) "KexAlgorithms ${builtins.concatStringsSep "," cfg.kexAlgorithms}" ++ lib.optional (cfg.ciphers != null) "Ciphers ${builtins.concatStringsSep "," cfg.ciphers}" ++ lib.optional (cfg.macs != null) "MACs ${builtins.concatStringsSep "," cfg.macs}" ); environment.etc."ssh/ssh_known_hosts".text = knownHostsText; Loading
nixos/modules/services/networking/ssh/sshd.nix +23 −32 Original line number Diff line number Diff line Loading @@ -21,7 +21,6 @@ let let # reports boolean as yes / no mkValueString = with lib; v: if lib.isInt v then toString v Loading Loading @@ -825,37 +824,29 @@ in authPrincipalsFiles != { } ) "/etc/ssh/authorized_principals.d/%u"; services.openssh.extraConfig = lib.mkOrder 0 '' Banner ${if cfg.banner == null then "none" else pkgs.writeText "ssh_banner" cfg.banner} AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"} ${lib.concatMapStrings (port: '' Port ${toString port} '') cfg.ports} ${lib.concatMapStrings ( services.openssh.extraConfig = lib.mkOrder 0 ( lib.concatStringsSep "\n" ( [ "Banner ${if cfg.banner == null then "none" else pkgs.writeText "ssh_banner" cfg.banner}" "AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}" ] ++ lib.map (port: ''Port ${toString port}'') cfg.ports ++ lib.map ( { port, addr, ... }: '' ListenAddress ${addr}${lib.optionalString (port != null) (":" + toString port)} '' ) cfg.listenAddresses} ${lib.optionalString cfgc.setXAuthLocation '' XAuthLocation ${pkgs.xorg.xauth}/bin/xauth ''} ${lib.optionalString cfg.allowSFTP '' Subsystem sftp ${cfg.sftpServerExecutable} ${lib.concatStringsSep " " cfg.sftpFlags} ''} AuthorizedKeysFile ${toString cfg.authorizedKeysFiles} ${lib.optionalString (cfg.authorizedKeysCommand != "none") '' ''ListenAddress ${addr}${lib.optionalString (port != null) (":" + toString port)}'' ) cfg.listenAddresses ++ lib.optional cfgc.setXAuthLocation "XAuthLocation ${lib.getExe pkgs.xorg.xauth}" ++ lib.optional cfg.allowSFTP ''Subsystem sftp ${cfg.sftpServerExecutable} ${lib.concatStringsSep " " cfg.sftpFlags}'' ++ [ "AuthorizedKeysFile ${toString cfg.authorizedKeysFiles}" ] ++ lib.optional (cfg.authorizedKeysCommand != "none") '' AuthorizedKeysCommand ${cfg.authorizedKeysCommand} AuthorizedKeysCommandUser ${cfg.authorizedKeysCommandUser} ''} ${lib.flip lib.concatMapStrings cfg.hostKeys (k: '' HostKey ${k.path} '')} ''; '' ++ lib.map (k: "HostKey ${k.path}") cfg.hostKeys ) ); system.checks = [ (pkgs.runCommand "check-sshd-config" Loading
