lsh: drop

- The `services.trust-dns` module has been renamed to `services.hickory-dns`.

- The `lsh` package and the `services.lshd` module have been removed as they had no maintainer in Nixpkgs and hadn’t seen an upstream release in over a decade. It is recommended to migrate to `openssh` and `services.openssh`.

## Other Notable Changes {#sec-release-24.11-notable-changes}

<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

  ./services/networking/spacecookie.nix

  ./services/networking/spiped.nix

  ./services/networking/squid.nix

  ./services/networking/ssh/lshd.nix

  ./services/networking/ssh/sshd.nix

  ./services/networking/sslh.nix

  ./services/networking/strongswan-swanctl/module.nix

      The xow package was removed from nixpkgs. Upstream has deprecated

      the project and users are urged to switch to xone.

    '')

    (mkRemovedOptionModule [ "networking" "liboop" ] "The corresponding package was removed from nixpkgs.")

    (mkRemovedOptionModule [ "networking" "vpnc" ] "Use environment.etc.\"vpnc/service.conf\" instead.")

    (mkRemovedOptionModule [ "networking" "wicd" ] "The corresponding package was removed from nixpkgs.")

    (mkRemovedOptionModule [ "programs" "gnome-documents" ] "The corresponding package was removed from nixpkgs.")

    (mkRemovedOptionModule [ "services" "hydron" ] "The `services.hydron` module has been removed as the project has been archived upstream since 2022 and is affected by a severe remote code execution vulnerability.")

    (mkRemovedOptionModule [ "services" "ihatemoney" ] "The ihatemoney module has been removed for lack of downstream maintainer")

    (mkRemovedOptionModule [ "services" "kippo" ] "The corresponding package was removed from nixpkgs.")

    (mkRemovedOptionModule [ "services" "lshd" ] "The corresponding package was removed from nixpkgs as it had no maintainer in Nixpkgs and hasn't seen an upstream release in over a decades.")

    (mkRemovedOptionModule [ "services" "mailpile" ] "The corresponding package was removed from nixpkgs.")

    (mkRemovedOptionModule [ "services" "marathon" ] "The corresponding package was removed from nixpkgs.")

    (mkRemovedOptionModule [ "services" "mathics" ] "The Mathics module has been removed")

{ config, lib, pkgs, ... }:

with lib;

let

  inherit (pkgs) lsh;

  cfg = config.services.lshd;

in

{

  ###### interface

  options = {

    services.lshd = {

      enable = mkOption {

        type = types.bool;

        default = false;

        description = ''

          Whether to enable the GNU lshd SSH2 daemon, which allows

          secure remote login.

        '';

      };

      portNumber = mkOption {

        default = 22;

        type = types.port;

        description = ''

          The port on which to listen for connections.

        '';

      };

      interfaces = mkOption {

        default = [];

        type = types.listOf types.str;

        description = ''

          List of network interfaces where listening for connections.

          When providing the empty list, `[]`, lshd listens on all

          network interfaces.

        '';

        example = [ "localhost" "1.2.3.4:443" ];

      };

      hostKey = mkOption {

        default = "/etc/lsh/host-key";

        type = types.str;

        description = ''

          Path to the server's private key.  Note that this key must

          have been created, e.g., using "lsh-keygen --server |

          lsh-writekey --server", so that you can run lshd.

        '';

      };

      syslog = mkOption {

        type = types.bool;

        default = true;

        description = "Whether to enable syslog output.";

      };

      passwordAuthentication = mkOption {

        type = types.bool;

        default = true;

        description = "Whether to enable password authentication.";

      };

      publicKeyAuthentication = mkOption {

        type = types.bool;

        default = true;

        description = "Whether to enable public key authentication.";

      };

      rootLogin = mkOption {

        type = types.bool;

        default = false;

        description = "Whether to enable remote root login.";

      };

      loginShell = mkOption {

        default = null;

        type = types.nullOr types.str;

        description = ''

          If non-null, override the default login shell with the

          specified value.

        '';

        example = "/nix/store/xyz-bash-10.0/bin/bash10";

      };

      srpKeyExchange = mkOption {

        default = false;

        type = types.bool;

        description = ''

          Whether to enable SRP key exchange and user authentication.

        '';

      };

      tcpForwarding = mkOption {

        type = types.bool;

        default = true;

        description = "Whether to enable TCP/IP forwarding.";

      };

      x11Forwarding = mkOption {

        type = types.bool;

        default = true;

        description = "Whether to enable X11 forwarding.";

      };

      subsystems = mkOption {

        type = types.listOf types.path;

        description = ''

          List of subsystem-path pairs, where the head of the pair

          denotes the subsystem name, and the tail denotes the path to

          an executable implementing it.

        '';

      };

    };

  };

  ###### implementation

  config = mkIf cfg.enable {

    services.lshd.subsystems = [ ["sftp" "${pkgs.lsh}/sbin/sftp-server"] ];

    systemd.services.lshd = {

      description = "GNU lshd SSH2 daemon";

      after = [ "network.target" ];

      wantedBy = [ "multi-user.target" ];

      environment = {

        LD_LIBRARY_PATH = config.system.nssModules.path;

      };

      preStart = ''

        test -d /etc/lsh || mkdir -m 0755 -p /etc/lsh

        test -d /var/spool/lsh || mkdir -m 0755 -p /var/spool/lsh

        if ! test -f /var/spool/lsh/yarrow-seed-file

        then

            # XXX: It would be nice to provide feedback to the

            # user when this fails, so that they can retry it

            # manually.

            ${lsh}/bin/lsh-make-seed --sloppy \

               -o /var/spool/lsh/yarrow-seed-file

        fi

        if ! test -f "${cfg.hostKey}"

        then

            ${lsh}/bin/lsh-keygen --server | \

            ${lsh}/bin/lsh-writekey --server -o "${cfg.hostKey}"

        fi

      '';

      script = with cfg; ''

        ${lsh}/sbin/lshd --daemonic \

          --password-helper="${lsh}/sbin/lsh-pam-checkpw" \

          -p ${toString portNumber} \

          ${optionalString (interfaces != []) (concatStrings (map (i: "--interface=\"${i}\"") interfaces))} \

          -h "${hostKey}" \

          ${optionalString (!syslog) "--no-syslog" } \

          ${if passwordAuthentication then "--password" else "--no-password" } \

          ${if publicKeyAuthentication then "--publickey" else "--no-publickey" } \

          ${if rootLogin then "--root-login" else "--no-root-login" } \

          ${optionalString (loginShell != null) "--login-shell=\"${loginShell}\"" } \

          ${if srpKeyExchange then "--srp-keyexchange" else "--no-srp-keyexchange" } \

          ${if !tcpForwarding then "--no-tcpip-forward" else "--tcpip-forward"} \

          ${if x11Forwarding then "--x11-forward" else "--no-x11-forward" } \

          --subsystems=${concatStringsSep ","

                                          (map (pair: (head pair) + "=" +

                                                      (head (tail pair)))

                                               subsystems)}

      '';

    };

    security.pam.services.lshd = {};

  };

}

{ lib, stdenv, fetchurl, gperf, guile, gmp, zlib, liboop, readline, gnum4, pam

, nettools, lsof, procps, libxcrypt }:

stdenv.mkDerivation rec {

  pname = "lsh";

  version = "2.0.4";

  src = fetchurl {

    url = "mirror://gnu/lsh/lsh-${version}.tar.gz";

    sha256 = "614b9d63e13ad3e162c82b6405d1f67713fc622a8bc11337e72949d613713091";

  };

  patches = [ ./pam-service-name.patch ./lshd-no-root-login.patch ];

  preConfigure = ''

    # Patch `lsh-make-seed' so that it can gather enough entropy.

    sed -i "src/lsh-make-seed.c" \

        -e "s|/usr/sbin/arp|${nettools}/sbin/arp|g ;

            s|/usr/bin/netstat|${nettools}/bin/netstat|g ;

            s|/usr/local/bin/lsof|${lsof}/bin/lsof|g ;

            s|/bin/vmstat|${procps}/bin/vmstat|g ;

            s|/bin/ps|${procps}/bin/sp|g ;

            s|/usr/bin/w|${procps}/bin/w|g ;

            s|/usr/bin/df|$(type -P df)|g ;

            s|/usr/bin/ipcs|$(type -P ipcs)|g ;

            s|/usr/bin/uptime|$(type -P uptime)|g"

    # Skip the `configure' script that checks whether /dev/ptmx & co. work as

    # expected, because it relies on impurities (for instance, /dev/pts may

    # be unavailable in chroots.)

    export lsh_cv_sys_unix98_ptys=yes

  '';

  # -fcommon: workaround build failure on -fno-common toolchains like upstream

  # gcc-10. Otherwise build fails as:

  #   ld: liblsh.a(unix_user.o):/build/lsh-2.0.4/src/server_userauth.h:108: multiple definition of

  #     `server_userauth_none_preauth'; lshd.o:/build/lsh-2.0.4/src/server_userauth.h:108: first defined here

  # Should be present in upcoming 2.1 release.

  env.NIX_CFLAGS_COMPILE = "-std=gnu90 -fcommon";

  buildInputs = [ gperf guile gmp zlib liboop readline gnum4 pam libxcrypt ];

  meta = {

    description = "GPL'd implementation of the SSH protocol";

    longDescription = ''

      lsh is a free implementation (in the GNU sense) of the ssh

      version 2 protocol, currently being standardised by the IETF

      SECSH working group.

    '';

    homepage = "http://www.lysator.liu.se/~nisse/lsh/";

    license = lib.licenses.gpl2Plus;

    maintainers = [ ];

    platforms = [ "x86_64-linux" ];

  };

}