Unverified Commit 7fc25040 authored by Will Fancher's avatar Will Fancher Committed by GitHub
Browse files

Merge pull request #277759 from onny/initrd-keyfiles 

nixos/initrd-ssh: Add authorizedKeyFiles option
parents 9b09bde6 30036c3d

nixos/doc/manual/release-notes/rl-2405.section.md

+2 −0
Original line number Diff line number Diff line
@@ -373,6 +373,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m 
- The Matrix homeserver [Synapse](https://element-hq.github.io/synapse/) module now supports configuring UNIX domain socket [listeners](#opt-services.matrix-synapse.settings.listeners) through the `path` option.

  The default replication worker on the main instance has been migrated away from TCP sockets to UNIX domain sockets.



- The initrd ssh daemon module got a new option to add authorized keys via a list of files using `boot.initrd.network.ssh.authorizedKeyFiles`.



- Programs written in [Nim](https://nim-lang.org/) are built with libraries selected by lockfiles.

  The `nimPackages` and `nim2Packages` sets have been removed.

  See https://nixos.org/manual/nixpkgs/unstable#nim for more information.

nixos/modules/system/boot/initrd-ssh.nix

+26 −4
Original line number Diff line number Diff line
@@ -93,6 +93,21 @@ in 
      defaultText = literalExpression "config.users.users.root.openssh.authorizedKeys.keys";

      description = lib.mdDoc ''

        Authorized keys for the root user on initrd.

        You can combine the `authorizedKeys` and `authorizedKeyFiles` options.

      '';

      example = [

        "ssh-rsa AAAAB3NzaC1yc2etc/etc/etcjwrsh8e596z6J0l7 example@host"

        "ssh-ed25519 AAAAC3NzaCetcetera/etceteraJZMfk3QPfQ foo@bar"

      ];

    };



    authorizedKeyFiles = mkOption {

      type = types.listOf types.path;

      default = config.users.users.root.openssh.authorizedKeys.keyFiles;

      defaultText = literalExpression "config.users.users.root.openssh.authorizedKeys.keyFiles";

      description = lib.mdDoc ''

        Authorized keys taken from files for the root user on initrd.

        You can combine the `authorizedKeyFiles` and `authorizedKeys` options.

      '';

    };
@@ -152,7 +167,7 @@ in 
  in mkIf enabled {

    assertions = [

      {

        assertion = cfg.authorizedKeys != [];

        assertion = cfg.authorizedKeys != [] || cfg.authorizedKeyFiles != [];

        message = "You should specify at least one authorized key for initrd SSH";

      }
@@ -206,6 +221,9 @@ in 
      ${concatStrings (map (key: ''

        echo ${escapeShellArg key} >> /root/.ssh/authorized_keys

      '') cfg.authorizedKeys)}

      ${concatStrings (map (keyFile: ''

        cat ${keyFile} >> /root/.ssh/authorized_keys

      '') cfg.authorizedKeyFiles)}



      ${flip concatMapStrings cfg.hostKeys (path: ''

        # keys from Nix store are world-readable, which sshd doesn't like
@@ -236,9 +254,13 @@ in 


      users.root.shell = mkIf (config.boot.initrd.network.ssh.shell != null) config.boot.initrd.network.ssh.shell;



      contents."/etc/ssh/authorized_keys.d/root".text =

        concatStringsSep "\n" config.boot.initrd.network.ssh.authorizedKeys;

      contents."/etc/ssh/sshd_config".text = sshdConfig;

      contents = {

        "/etc/ssh/sshd_config".text = sshdConfig;

        "/etc/ssh/authorized_keys.d/root".text =

          concatStringsSep "\n" (

            config.boot.initrd.network.ssh.authorizedKeys ++

            (map (file: lib.fileContents file) config.boot.initrd.network.ssh.authorizedKeyFiles));

      };

      storePaths = ["${package}/bin/sshd"];



      services.sshd = {