nixos/ssh: fewer empty lines in generated ssh and sshd config files

    # SSH configuration. Slight duplication of the sshd_config

    # generation in the sshd service.

    environment.etc."ssh/ssh_config".text = ''

    environment.etc."ssh/ssh_config".text = lib.concatStringsSep "\n" (

      # Custom options from `extraConfig`, to override generated options

      ${cfg.extraConfig}

      lib.optional (cfg.extraConfig != "") cfg.extraConfig

      ++ [

        ''

          # Generated options from other settings

          Host *

      ${lib.optionalString cfg.systemd-ssh-proxy.enable ''

        ''

      ]

      ++ lib.optional cfg.systemd-ssh-proxy.enable ''

        # See systemd-ssh-proxy(1)

        Include ${config.systemd.package}/lib/systemd/ssh_config.d/20-systemd-ssh-proxy.conf

      ''}

      GlobalKnownHostsFile ${builtins.concatStringsSep " " knownHostsFiles}

      ${lib.optionalString (!config.networking.enableIPv6) "AddressFamily inet"}

      ${lib.optionalString cfg.setXAuthLocation "XAuthLocation ${pkgs.xorg.xauth}/bin/xauth"}

      ${lib.optionalString (cfg.forwardX11 != null)

        "ForwardX11 ${if cfg.forwardX11 then "yes" else "no"}"

      }

      ${lib.optionalString (

      ''

      ++ [

        "GlobalKnownHostsFile ${builtins.concatStringsSep " " knownHostsFiles}"

      ]

      ++ lib.optional (!config.networking.enableIPv6) "AddressFamily inet"

      ++ lib.optional cfg.setXAuthLocation "XAuthLocation ${pkgs.xorg.xauth}/bin/xauth"

      ++ lib.optional (cfg.forwardX11 != null) "ForwardX11 ${if cfg.forwardX11 then "yes" else "no"}"

      ++ lib.optional (

        cfg.pubkeyAcceptedKeyTypes != [ ]

      ) "PubkeyAcceptedKeyTypes ${builtins.concatStringsSep "," cfg.pubkeyAcceptedKeyTypes}"}

      ${lib.optionalString (

      ) "PubkeyAcceptedKeyTypes ${builtins.concatStringsSep "," cfg.pubkeyAcceptedKeyTypes}"

      ++ lib.optional (

        cfg.hostKeyAlgorithms != [ ]

      ) "HostKeyAlgorithms ${builtins.concatStringsSep "," cfg.hostKeyAlgorithms}"}

      ${lib.optionalString (

      ) "HostKeyAlgorithms ${builtins.concatStringsSep "," cfg.hostKeyAlgorithms}"

      ++ lib.optional (

        cfg.kexAlgorithms != null

      ) "KexAlgorithms ${builtins.concatStringsSep "," cfg.kexAlgorithms}"}

      ${lib.optionalString (cfg.ciphers != null) "Ciphers ${builtins.concatStringsSep "," cfg.ciphers}"}

      ${lib.optionalString (cfg.macs != null) "MACs ${builtins.concatStringsSep "," cfg.macs}"}

    '';

      ) "KexAlgorithms ${builtins.concatStringsSep "," cfg.kexAlgorithms}"

      ++ lib.optional (cfg.ciphers != null) "Ciphers ${builtins.concatStringsSep "," cfg.ciphers}"

      ++ lib.optional (cfg.macs != null) "MACs ${builtins.concatStringsSep "," cfg.macs}"

    );

    environment.etc."ssh/ssh_known_hosts".text = knownHostsText;

    let

      # reports boolean as yes / no

      mkValueString =

        with lib;

        v:

        if lib.isInt v then

          toString v

      authPrincipalsFiles != { }

    ) "/etc/ssh/authorized_principals.d/%u";

    services.openssh.extraConfig = lib.mkOrder 0 ''

      Banner ${if cfg.banner == null then "none" else pkgs.writeText "ssh_banner" cfg.banner}

      AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}

      ${lib.concatMapStrings (port: ''

        Port ${toString port}

      '') cfg.ports}

      ${lib.concatMapStrings (

    services.openssh.extraConfig = lib.mkOrder 0 (

      lib.concatStringsSep "\n" (

        [

          "Banner ${if cfg.banner == null then "none" else pkgs.writeText "ssh_banner" cfg.banner}"

          "AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}"

        ]

        ++ lib.map (port: ''Port ${toString port}'') cfg.ports

        ++ lib.map (

          { port, addr, ... }:

        ''

          ListenAddress ${addr}${lib.optionalString (port != null) (":" + toString port)}

        ''

      ) cfg.listenAddresses}

      ${lib.optionalString cfgc.setXAuthLocation ''

        XAuthLocation ${pkgs.xorg.xauth}/bin/xauth

      ''}

      ${lib.optionalString cfg.allowSFTP ''

        Subsystem sftp ${cfg.sftpServerExecutable} ${lib.concatStringsSep " " cfg.sftpFlags}

      ''}

      AuthorizedKeysFile ${toString cfg.authorizedKeysFiles}

      ${lib.optionalString (cfg.authorizedKeysCommand != "none") ''

          ''ListenAddress ${addr}${lib.optionalString (port != null) (":" + toString port)}''

        ) cfg.listenAddresses

        ++ lib.optional cfgc.setXAuthLocation "XAuthLocation ${lib.getExe pkgs.xorg.xauth}"

        ++ lib.optional cfg.allowSFTP ''Subsystem sftp ${cfg.sftpServerExecutable} ${lib.concatStringsSep " " cfg.sftpFlags}''

        ++ [

          "AuthorizedKeysFile ${toString cfg.authorizedKeysFiles}"

        ]

        ++ lib.optional (cfg.authorizedKeysCommand != "none") ''

          AuthorizedKeysCommand ${cfg.authorizedKeysCommand}

          AuthorizedKeysCommandUser ${cfg.authorizedKeysCommandUser}

      ''}

      ${lib.flip lib.concatMapStrings cfg.hostKeys (k: ''

        HostKey ${k.path}

      '')}

    '';

        ''

        ++ lib.map (k: "HostKey ${k.path}") cfg.hostKeys

      )

    );

    system.checks = [

      (pkgs.runCommand "check-sshd-config"