2009-05-27 23:59:14 +00:00
|
|
|
|
# Global configuration for the SSH client.
|
|
|
|
|
|
|
2014-04-14 16:26:48 +02:00
|
|
|
|
{
|
|
|
|
|
|
config,
|
|
|
|
|
|
lib,
|
|
|
|
|
|
pkgs,
|
|
|
|
|
|
...
|
|
|
|
|
|
}:
|
2009-05-27 23:59:14 +00:00
|
|
|
|
|
2015-02-25 14:29:24 +01:00
|
|
|
|
let
|
|
|
|
|
|
|
|
|
|
|
|
cfg = config.programs.ssh;
|
|
|
|
|
|
|
|
|
|
|
|
askPasswordWrapper = pkgs.writeScript "ssh-askpass-wrapper" ''
|
2018-03-01 14:38:53 -05:00
|
|
|
|
#! ${pkgs.runtimeShell} -e
|
2025-01-14 14:05:46 +00:00
|
|
|
|
eval export $(systemctl --user show-environment | ${lib.getExe pkgs.gnugrep} -E '^(DISPLAY|WAYLAND_DISPLAY|XAUTHORITY)=')
|
2023-09-03 17:12:55 +02:00
|
|
|
|
exec ${cfg.askPassword} "$@"
|
2015-02-25 14:29:24 +01:00
|
|
|
|
'';
|
2012-03-25 15:42:05 +00:00
|
|
|
|
|
2024-04-17 14:37:58 +03:00
|
|
|
|
knownHosts = builtins.attrValues cfg.knownHosts;
|
2015-08-27 15:24:14 +02:00
|
|
|
|
|
2024-04-17 14:37:58 +03:00
|
|
|
|
knownHostsText =
|
|
|
|
|
|
(lib.flip (lib.concatMapStringsSep "\n") knownHosts (
|
2015-08-27 15:31:21 +02:00
|
|
|
|
h:
|
|
|
|
|
|
assert h.hostNames != [ ];
|
2024-04-17 14:37:58 +03:00
|
|
|
|
lib.optionalString h.certAuthority "@cert-authority "
|
|
|
|
|
|
+ builtins.concatStringsSep "," h.hostNames
|
|
|
|
|
|
+ " "
|
|
|
|
|
|
+ (if h.publicKey != null then h.publicKey else builtins.readFile h.publicKeyFile)
|
2017-05-15 23:49:43 -04:00
|
|
|
|
))
|
|
|
|
|
|
+ "\n";
|
2015-08-27 15:24:14 +02:00
|
|
|
|
|
2023-04-13 13:56:08 +02:00
|
|
|
|
knownHostsFiles = [
|
|
|
|
|
|
"/etc/ssh/ssh_known_hosts"
|
2024-04-17 14:37:58 +03:00
|
|
|
|
] ++ builtins.map pkgs.copyPathToStore cfg.knownHostsFiles;
|
2021-11-21 17:25:03 +00:00
|
|
|
|
|
2012-03-25 15:42:05 +00:00
|
|
|
|
in
|
2009-05-27 23:59:14 +00:00
|
|
|
|
{
|
2012-03-25 15:42:05 +00:00
|
|
|
|
###### interface
|
|
|
|
|
|
|
|
|
|
|
|
options = {
|
|
|
|
|
|
|
|
|
|
|
|
programs.ssh = {
|
|
|
|
|
|
|
2024-04-17 14:37:58 +03:00
|
|
|
|
enableAskPassword = lib.mkOption {
|
|
|
|
|
|
type = lib.types.bool;
|
2021-12-11 11:13:50 -05:00
|
|
|
|
default = config.services.xserver.enable;
|
2024-04-17 14:37:58 +03:00
|
|
|
|
defaultText = lib.literalExpression "config.services.xserver.enable";
|
2021-12-11 11:13:50 -05:00
|
|
|
|
description = "Whether to configure SSH_ASKPASS in the environment.";
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2024-11-24 19:02:59 +01:00
|
|
|
|
systemd-ssh-proxy.enable = lib.mkOption {
|
|
|
|
|
|
type = lib.types.bool;
|
|
|
|
|
|
default = true;
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
Whether to enable systemd's ssh proxy plugin.
|
|
|
|
|
|
See {manpage}`systemd-ssh-proxy(1)`.
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2024-04-17 14:37:58 +03:00
|
|
|
|
askPassword = lib.mkOption {
|
|
|
|
|
|
type = lib.types.str;
|
2016-01-13 11:48:11 +01:00
|
|
|
|
default = "${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass";
|
2024-04-17 14:37:58 +03:00
|
|
|
|
defaultText = lib.literalExpression ''"''${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass"'';
|
2021-01-24 09:19:10 +00:00
|
|
|
|
description = "Program used by SSH to ask for passwords.";
|
2015-03-11 10:59:02 -05:00
|
|
|
|
};
|
|
|
|
|
|
|
2024-04-17 14:37:58 +03:00
|
|
|
|
forwardX11 = lib.mkOption {
|
2023-09-03 17:13:11 +02:00
|
|
|
|
type = with lib.types; nullOr bool;
|
2012-10-09 23:21:45 -07:00
|
|
|
|
default = false;
|
2012-03-25 15:42:05 +00:00
|
|
|
|
description = ''
|
|
|
|
|
|
Whether to request X11 forwarding on outgoing connections by default.
|
2023-09-03 17:13:11 +02:00
|
|
|
|
If set to null, the option is not set at all.
|
2012-03-25 15:42:05 +00:00
|
|
|
|
This is useful for running graphical programs on the remote machine and have them display to your local X11 server.
|
|
|
|
|
|
Historically, this value has depended on the value used by the local sshd daemon, but there really isn't a relation between the two.
|
2012-11-18 11:05:18 -08:00
|
|
|
|
Note: there are some security risks to forwarding an X11 connection.
|
|
|
|
|
|
NixOS's X server is built with the SECURITY extension, which prevents some obvious attacks.
|
2012-10-09 23:21:45 -07:00
|
|
|
|
To enable or disable forwarding on a per-connection basis, see the -X and -x options to ssh.
|
2012-11-18 11:05:18 -08:00
|
|
|
|
The -Y option to ssh enables trusted forwarding, which bypasses the SECURITY extension.
|
2009-05-27 23:59:14 +00:00
|
|
|
|
'';
|
2012-03-25 15:42:05 +00:00
|
|
|
|
};
|
|
|
|
|
|
|
2024-04-17 14:37:58 +03:00
|
|
|
|
setXAuthLocation = lib.mkOption {
|
|
|
|
|
|
type = lib.types.bool;
|
2012-03-25 15:42:05 +00:00
|
|
|
|
description = ''
|
2013-10-25 15:47:30 +02:00
|
|
|
|
Whether to set the path to {command}`xauth` for X11-forwarded connections.
|
2013-10-30 17:37:45 +01:00
|
|
|
|
This causes a dependency on X11 packages.
|
2012-03-25 15:42:05 +00:00
|
|
|
|
'';
|
|
|
|
|
|
};
|
2013-08-25 21:54:21 +02:00
|
|
|
|
|
2024-04-17 14:37:58 +03:00
|
|
|
|
pubkeyAcceptedKeyTypes = lib.mkOption {
|
|
|
|
|
|
type = lib.types.listOf lib.types.str;
|
2020-04-07 13:07:03 +00:00
|
|
|
|
default = [ ];
|
2018-05-17 18:03:11 +03:00
|
|
|
|
example = [
|
|
|
|
|
|
"ssh-ed25519"
|
|
|
|
|
|
"ssh-rsa"
|
|
|
|
|
|
];
|
|
|
|
|
|
description = ''
|
2024-04-17 14:37:58 +03:00
|
|
|
|
Specifies the key lib.types that will be used for public key authentication.
|
2018-05-17 18:03:11 +03:00
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2024-04-17 14:37:58 +03:00
|
|
|
|
hostKeyAlgorithms = lib.mkOption {
|
|
|
|
|
|
type = lib.types.listOf lib.types.str;
|
2020-04-07 13:07:03 +00:00
|
|
|
|
default = [ ];
|
2018-05-17 18:03:11 +03:00
|
|
|
|
example = [
|
|
|
|
|
|
"ssh-ed25519"
|
|
|
|
|
|
"ssh-rsa"
|
|
|
|
|
|
];
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
Specifies the host key algorithms that the client wants to use in order of preference.
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2024-04-17 14:37:58 +03:00
|
|
|
|
extraConfig = lib.mkOption {
|
|
|
|
|
|
type = lib.types.lines;
|
2013-08-25 21:54:21 +02:00
|
|
|
|
default = "";
|
|
|
|
|
|
description = ''
|
2019-01-10 11:40:18 +00:00
|
|
|
|
Extra configuration text prepended to {file}`ssh_config`. Other generated
|
|
|
|
|
|
options will be added after a `Host *` pattern.
|
2013-10-30 17:37:45 +01:00
|
|
|
|
See {manpage}`ssh_config(5)`
|
|
|
|
|
|
for help.
|
2013-08-25 21:54:21 +02:00
|
|
|
|
'';
|
|
|
|
|
|
};
|
2014-04-18 00:45:26 +02:00
|
|
|
|
|
2024-04-17 14:37:58 +03:00
|
|
|
|
startAgent = lib.mkOption {
|
|
|
|
|
|
type = lib.types.bool;
|
2017-06-15 19:27:01 +02:00
|
|
|
|
default = false;
|
2014-04-18 00:45:26 +02:00
|
|
|
|
description = ''
|
|
|
|
|
|
Whether to start the OpenSSH agent when you log in. The OpenSSH agent
|
|
|
|
|
|
remembers private keys for you so that you don't have to type in
|
|
|
|
|
|
passphrases every time you make an SSH connection. Use
|
|
|
|
|
|
{command}`ssh-add` to add a key to the agent.
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2024-04-17 14:37:58 +03:00
|
|
|
|
agentTimeout = lib.mkOption {
|
|
|
|
|
|
type = lib.types.nullOr lib.types.str;
|
2014-12-18 15:30:14 +01:00
|
|
|
|
default = null;
|
|
|
|
|
|
example = "1h";
|
2014-11-13 21:46:02 +01:00
|
|
|
|
description = ''
|
2014-11-15 12:13:19 +01:00
|
|
|
|
How long to keep the private keys in memory. Use null to keep them forever.
|
2014-11-13 21:46:02 +01:00
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2024-04-17 14:37:58 +03:00
|
|
|
|
agentPKCS11Whitelist = lib.mkOption {
|
|
|
|
|
|
type = lib.types.nullOr lib.types.str;
|
2019-10-14 20:45:28 +01:00
|
|
|
|
default = null;
|
2024-04-17 14:37:58 +03:00
|
|
|
|
example = lib.literalExpression ''"''${pkgs.opensc}/lib/opensc-pkcs11.so"'';
|
2019-10-14 20:45:28 +01:00
|
|
|
|
description = ''
|
|
|
|
|
|
A pattern-list of acceptable paths for PKCS#11 shared libraries
|
|
|
|
|
|
that may be used with the -s option to ssh-add.
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2024-04-17 14:37:58 +03:00
|
|
|
|
package = lib.mkPackageOption pkgs "openssh" { };
|
2014-09-11 21:43:58 -07:00
|
|
|
|
|
2024-04-17 14:37:58 +03:00
|
|
|
|
knownHosts = lib.mkOption {
|
2015-08-27 15:24:14 +02:00
|
|
|
|
default = { };
|
2024-04-17 14:37:58 +03:00
|
|
|
|
type = lib.types.attrsOf (
|
|
|
|
|
|
lib.types.submodule (
|
|
|
|
|
|
{
|
|
|
|
|
|
name,
|
|
|
|
|
|
config,
|
|
|
|
|
|
options,
|
|
|
|
|
|
...
|
|
|
|
|
|
}:
|
|
|
|
|
|
{
|
2015-08-27 15:29:05 +02:00
|
|
|
|
options = {
|
2024-04-17 14:37:58 +03:00
|
|
|
|
certAuthority = lib.mkOption {
|
|
|
|
|
|
type = lib.types.bool;
|
2019-06-19 12:14:46 +00:00
|
|
|
|
default = false;
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
This public key is an SSH certificate authority, rather than an
|
|
|
|
|
|
individual host's key.
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
2024-04-17 14:37:58 +03:00
|
|
|
|
hostNames = lib.mkOption {
|
|
|
|
|
|
type = lib.types.listOf lib.types.str;
|
2022-01-19 08:48:41 -05:00
|
|
|
|
default = [ name ] ++ config.extraHostNames;
|
2024-04-17 14:37:58 +03:00
|
|
|
|
defaultText = lib.literalExpression "[ ${name} ] ++ config.${options.extraHostNames}";
|
2015-08-27 15:29:05 +02:00
|
|
|
|
description = ''
|
|
|
|
|
|
A list of host names and/or IP numbers used for accessing
|
2022-03-19 01:36:59 +01:00
|
|
|
|
the host's ssh service. This list includes the name of the
|
|
|
|
|
|
containing `knownHosts` attribute by default
|
|
|
|
|
|
for convenience. If you wish to configure multiple host keys
|
|
|
|
|
|
for the same host use multiple `knownHosts`
|
|
|
|
|
|
entries with different attribute names and the same
|
|
|
|
|
|
`hostNames` list.
|
2015-08-27 15:29:05 +02:00
|
|
|
|
'';
|
|
|
|
|
|
};
|
2024-04-17 14:37:58 +03:00
|
|
|
|
extraHostNames = lib.mkOption {
|
|
|
|
|
|
type = lib.types.listOf lib.types.str;
|
2022-01-19 08:48:41 -05:00
|
|
|
|
default = [ ];
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
A list of additional host names and/or IP numbers used for
|
2022-03-19 01:36:59 +01:00
|
|
|
|
accessing the host's ssh service. This list is ignored if
|
|
|
|
|
|
`hostNames` is set explicitly.
|
2022-01-19 08:48:41 -05:00
|
|
|
|
'';
|
|
|
|
|
|
};
|
2024-04-17 14:37:58 +03:00
|
|
|
|
publicKey = lib.mkOption {
|
2015-08-27 15:29:05 +02:00
|
|
|
|
default = null;
|
2024-04-17 14:37:58 +03:00
|
|
|
|
type = lib.types.nullOr lib.types.str;
|
2015-08-27 15:29:05 +02:00
|
|
|
|
example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg==";
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
The public key data for the host. You can fetch a public key
|
|
|
|
|
|
from a running SSH server with the {command}`ssh-keyscan`
|
|
|
|
|
|
command. The public key should not include any host names, only
|
|
|
|
|
|
the key type and the key itself.
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
2024-04-17 14:37:58 +03:00
|
|
|
|
publicKeyFile = lib.mkOption {
|
2015-08-27 15:29:05 +02:00
|
|
|
|
default = null;
|
2024-04-17 14:37:58 +03:00
|
|
|
|
type = lib.types.nullOr lib.types.path;
|
2015-08-27 15:29:05 +02:00
|
|
|
|
description = ''
|
|
|
|
|
|
The path to the public key file for the host. The public
|
|
|
|
|
|
key file is read at build time and saved in the Nix store.
|
|
|
|
|
|
You can fetch a public key file from a running SSH server
|
|
|
|
|
|
with the {command}`ssh-keyscan` command. The content
|
|
|
|
|
|
of the file should follow the same format as described for
|
2021-11-21 17:25:03 +00:00
|
|
|
|
the `publicKey` option. Only a single key
|
|
|
|
|
|
is supported. If a host has multiple keys, use
|
|
|
|
|
|
{option}`programs.ssh.knownHostsFiles` instead.
|
2015-08-27 15:29:05 +02:00
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
};
|
2015-08-27 15:31:21 +02:00
|
|
|
|
}
|
2024-12-10 20:26:33 +01:00
|
|
|
|
)
|
2015-08-27 15:31:21 +02:00
|
|
|
|
);
|
2015-08-27 15:24:14 +02:00
|
|
|
|
description = ''
|
2022-03-19 01:36:59 +01:00
|
|
|
|
The set of system-wide known SSH hosts. To make simple setups more
|
|
|
|
|
|
convenient the name of an attribute in this set is used as a host name
|
|
|
|
|
|
for the entry. This behaviour can be disabled by setting
|
|
|
|
|
|
`hostNames` explicitly. You can use
|
|
|
|
|
|
`extraHostNames` to add additional host names without
|
|
|
|
|
|
disabling this default.
|
2015-08-27 15:24:14 +02:00
|
|
|
|
'';
|
2024-04-17 14:37:58 +03:00
|
|
|
|
example = lib.literalExpression ''
|
2019-01-18 15:31:19 +01:00
|
|
|
|
{
|
|
|
|
|
|
myhost = {
|
2022-01-19 08:48:41 -05:00
|
|
|
|
extraHostNames = [ "myhost.mydomain.com" "10.10.1.4" ];
|
2017-11-01 02:53:24 +08:00
|
|
|
|
publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub;
|
2019-01-18 15:31:19 +01:00
|
|
|
|
};
|
2022-01-19 08:48:41 -05:00
|
|
|
|
"myhost2.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIRuJ8p1Fi+m6WkHV0KWnRfpM1WxoW8XAS+XvsSKsTK";
|
2022-03-19 01:36:59 +01:00
|
|
|
|
"myhost2.net/dsa" = {
|
|
|
|
|
|
hostNames = [ "myhost2.net" ];
|
|
|
|
|
|
publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub;
|
|
|
|
|
|
};
|
2019-01-18 15:31:19 +01:00
|
|
|
|
}
|
2016-01-17 19:34:55 +01:00
|
|
|
|
'';
|
2015-08-27 15:24:14 +02:00
|
|
|
|
};
|
|
|
|
|
|
|
2024-04-17 14:37:58 +03:00
|
|
|
|
knownHostsFiles = lib.mkOption {
|
2021-11-21 17:25:03 +00:00
|
|
|
|
default = [ ];
|
2024-04-17 14:37:58 +03:00
|
|
|
|
type = with lib.types; listOf path;
|
2021-11-21 17:25:03 +00:00
|
|
|
|
description = ''
|
|
|
|
|
|
Files containing SSH host keys to set as global known hosts.
|
|
|
|
|
|
`/etc/ssh/ssh_known_hosts` (which is
|
2023-04-13 13:56:08 +02:00
|
|
|
|
generated by {option}`programs.ssh.knownHosts`) is
|
|
|
|
|
|
always included.
|
2021-11-21 17:25:03 +00:00
|
|
|
|
'';
|
2024-04-17 14:37:58 +03:00
|
|
|
|
example = lib.literalExpression ''
|
2021-11-21 17:25:03 +00:00
|
|
|
|
[
|
|
|
|
|
|
./known_hosts
|
|
|
|
|
|
(writeText "github.keys" '''
|
2023-03-24 11:51:46 -07:00
|
|
|
|
github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
|
2021-11-21 17:25:03 +00:00
|
|
|
|
github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
|
|
|
|
|
|
github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
|
|
|
|
|
|
''')
|
|
|
|
|
|
]
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2024-04-17 14:37:58 +03:00
|
|
|
|
kexAlgorithms = lib.mkOption {
|
|
|
|
|
|
type = lib.types.nullOr (lib.types.listOf lib.types.str);
|
2019-05-22 14:41:32 +03:00
|
|
|
|
default = null;
|
|
|
|
|
|
example = [
|
|
|
|
|
|
"curve25519-sha256@libssh.org"
|
|
|
|
|
|
"diffie-hellman-group-exchange-sha256"
|
|
|
|
|
|
];
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
Specifies the available KEX (Key Exchange) algorithms.
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2024-04-17 14:37:58 +03:00
|
|
|
|
ciphers = lib.mkOption {
|
|
|
|
|
|
type = lib.types.nullOr (lib.types.listOf lib.types.str);
|
2019-05-22 14:41:32 +03:00
|
|
|
|
default = null;
|
|
|
|
|
|
example = [
|
|
|
|
|
|
"chacha20-poly1305@openssh.com"
|
|
|
|
|
|
"aes256-gcm@openssh.com"
|
|
|
|
|
|
];
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
Specifies the ciphers allowed and their order of preference.
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2024-04-17 14:37:58 +03:00
|
|
|
|
macs = lib.mkOption {
|
|
|
|
|
|
type = lib.types.nullOr (lib.types.listOf lib.types.str);
|
2019-05-22 14:41:32 +03:00
|
|
|
|
default = null;
|
|
|
|
|
|
example = [
|
|
|
|
|
|
"hmac-sha2-512-etm@openssh.com"
|
|
|
|
|
|
"hmac-sha1"
|
|
|
|
|
|
];
|
|
|
|
|
|
description = ''
|
|
|
|
|
|
Specifies the MAC (message authentication code) algorithms in order of preference. The MAC algorithm is used
|
|
|
|
|
|
for data integrity protection.
|
|
|
|
|
|
'';
|
|
|
|
|
|
};
|
2012-03-25 15:42:05 +00:00
|
|
|
|
};
|
2014-04-18 00:45:26 +02:00
|
|
|
|
|
2012-03-25 15:42:05 +00:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
config = {
|
2013-10-25 15:47:30 +02:00
|
|
|
|
|
2016-09-05 15:38:42 +02:00
|
|
|
|
programs.ssh.setXAuthLocation = lib.mkDefault (
|
2024-04-17 14:37:58 +03:00
|
|
|
|
config.services.xserver.enable
|
|
|
|
|
|
|| config.programs.ssh.forwardX11 == true
|
|
|
|
|
|
|| config.services.openssh.settings.X11Forwarding
|
|
|
|
|
|
);
|
2016-09-05 15:38:42 +02:00
|
|
|
|
|
2015-08-27 15:24:14 +02:00
|
|
|
|
assertions =
|
2023-09-03 17:13:11 +02:00
|
|
|
|
[
|
|
|
|
|
|
{
|
|
|
|
|
|
assertion = cfg.forwardX11 == true -> cfg.setXAuthLocation;
|
2015-08-27 15:24:14 +02:00
|
|
|
|
message = "cannot enable X11 forwarding without setting XAuth location";
|
|
|
|
|
|
}
|
2024-04-17 14:37:58 +03:00
|
|
|
|
]
|
|
|
|
|
|
++ lib.flip lib.mapAttrsToList cfg.knownHosts (
|
|
|
|
|
|
name: data: {
|
2015-08-27 15:24:14 +02:00
|
|
|
|
assertion =
|
|
|
|
|
|
(data.publicKey == null && data.publicKeyFile != null)
|
|
|
|
|
|
|| (data.publicKey != null && data.publicKeyFile == null);
|
|
|
|
|
|
message = "knownHost ${name} must contain either a publicKey or publicKeyFile";
|
|
|
|
|
|
}
|
|
|
|
|
|
);
|
2013-10-25 15:47:30 +02:00
|
|
|
|
|
2015-08-18 13:09:38 +02:00
|
|
|
|
# SSH configuration. Slight duplication of the sshd_config
|
|
|
|
|
|
# generation in the sshd service.
|
|
|
|
|
|
environment.etc."ssh/ssh_config".text = ''
|
2019-01-10 11:40:18 +00:00
|
|
|
|
# Custom options from `extraConfig`, to override generated options
|
|
|
|
|
|
${cfg.extraConfig}
|
2024-12-10 20:26:33 +01:00
|
|
|
|
|
2024-11-24 19:02:59 +01:00
|
|
|
|
${lib.optionalString cfg.systemd-ssh-proxy.enable ''
|
|
|
|
|
|
# See systemd-ssh-proxy(1)
|
|
|
|
|
|
Include ${config.systemd.package}/lib/systemd/ssh_config.d/20-systemd-ssh-proxy.conf
|
|
|
|
|
|
''}
|
|
|
|
|
|
|
2019-01-10 11:40:18 +00:00
|
|
|
|
# Generated options from other settings
|
|
|
|
|
|
Host *
|
2024-04-17 14:37:58 +03:00
|
|
|
|
GlobalKnownHostsFile ${builtins.concatStringsSep " " knownHostsFiles}
|
2024-12-10 20:26:33 +01:00
|
|
|
|
|
2024-05-26 17:50:19 +02:00
|
|
|
|
${lib.optionalString (!config.networking.enableIPv6) "AddressFamily inet"}
|
2024-04-17 14:37:58 +03:00
|
|
|
|
${lib.optionalString cfg.setXAuthLocation "XAuthLocation ${pkgs.xorg.xauth}/bin/xauth"}
|
2023-09-03 17:13:11 +02:00
|
|
|
|
${lib.optionalString (cfg.forwardX11 != null)
|
|
|
|
|
|
"ForwardX11 ${if cfg.forwardX11 then "yes" else "no"}"
|
|
|
|
|
|
}
|
2024-12-10 20:26:33 +01:00
|
|
|
|
|
2024-04-17 14:37:58 +03:00
|
|
|
|
${lib.optionalString (
|
|
|
|
|
|
cfg.pubkeyAcceptedKeyTypes != [ ]
|
|
|
|
|
|
) "PubkeyAcceptedKeyTypes ${builtins.concatStringsSep "," cfg.pubkeyAcceptedKeyTypes}"}
|
|
|
|
|
|
${lib.optionalString (
|
|
|
|
|
|
cfg.hostKeyAlgorithms != [ ]
|
|
|
|
|
|
) "HostKeyAlgorithms ${builtins.concatStringsSep "," cfg.hostKeyAlgorithms}"}
|
|
|
|
|
|
${lib.optionalString (
|
|
|
|
|
|
cfg.kexAlgorithms != null
|
|
|
|
|
|
) "KexAlgorithms ${builtins.concatStringsSep "," cfg.kexAlgorithms}"}
|
|
|
|
|
|
${lib.optionalString (cfg.ciphers != null) "Ciphers ${builtins.concatStringsSep "," cfg.ciphers}"}
|
|
|
|
|
|
${lib.optionalString (cfg.macs != null) "MACs ${builtins.concatStringsSep "," cfg.macs}"}
|
2015-08-18 13:09:38 +02:00
|
|
|
|
'';
|
2014-04-18 00:45:26 +02:00
|
|
|
|
|
2015-08-27 15:24:14 +02:00
|
|
|
|
environment.etc."ssh/ssh_known_hosts".text = knownHostsText;
|
|
|
|
|
|
|
2014-04-18 00:45:26 +02:00
|
|
|
|
# FIXME: this should really be socket-activated for über-awesomeness.
|
2024-04-17 14:37:58 +03:00
|
|
|
|
systemd.user.services.ssh-agent = lib.mkIf cfg.startAgent {
|
2017-05-25 19:33:13 +02:00
|
|
|
|
description = "SSH Agent";
|
2014-04-18 00:45:26 +02:00
|
|
|
|
wantedBy = [ "default.target" ];
|
2017-10-23 16:54:00 +08:00
|
|
|
|
unitConfig.ConditionUser = "!@system";
|
2014-04-18 00:45:26 +02:00
|
|
|
|
serviceConfig = {
|
2014-04-18 17:37:47 +02:00
|
|
|
|
ExecStartPre = "${pkgs.coreutils}/bin/rm -f %t/ssh-agent";
|
2014-11-15 12:13:19 +01:00
|
|
|
|
ExecStart =
|
|
|
|
|
|
"${cfg.package}/bin/ssh-agent "
|
2024-04-17 14:37:58 +03:00
|
|
|
|
+ lib.optionalString (cfg.agentTimeout != null) ("-t ${cfg.agentTimeout} ")
|
|
|
|
|
|
+ lib.optionalString (cfg.agentPKCS11Whitelist != null) ("-P ${cfg.agentPKCS11Whitelist} ")
|
2014-11-15 12:13:19 +01:00
|
|
|
|
+ "-a %t/ssh-agent";
|
2014-04-18 17:37:47 +02:00
|
|
|
|
StandardOutput = "null";
|
2014-04-18 00:45:26 +02:00
|
|
|
|
Type = "forking";
|
|
|
|
|
|
Restart = "on-failure";
|
2014-04-18 17:37:47 +02:00
|
|
|
|
SuccessExitStatus = "0 2";
|
2014-04-18 00:45:26 +02:00
|
|
|
|
};
|
2015-02-25 14:29:24 +01:00
|
|
|
|
# Allow ssh-agent to ask for confirmation. This requires the
|
|
|
|
|
|
# unit to know about the user's $DISPLAY (via ‘systemctl
|
|
|
|
|
|
# import-environment’).
|
2024-04-17 14:37:58 +03:00
|
|
|
|
environment.SSH_ASKPASS = lib.optionalString cfg.enableAskPassword askPasswordWrapper;
|
2015-02-25 14:29:24 +01:00
|
|
|
|
environment.DISPLAY = "fake"; # required to make ssh-agent start $SSH_ASKPASS
|
2024-12-10 20:26:33 +01:00
|
|
|
|
};
|
2014-04-18 00:45:26 +02:00
|
|
|
|
|
2024-04-17 14:37:58 +03:00
|
|
|
|
environment.extraInit = lib.optionalString cfg.startAgent ''
|
2014-04-18 00:45:26 +02:00
|
|
|
|
if [ -z "$SSH_AUTH_SOCK" -a -n "$XDG_RUNTIME_DIR" ]; then
|
|
|
|
|
|
export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent"
|
|
|
|
|
|
fi
|
|
|
|
|
|
'';
|
|
|
|
|
|
|
2024-04-17 14:37:58 +03:00
|
|
|
|
environment.variables.SSH_ASKPASS = lib.optionalString cfg.enableAskPassword cfg.askPassword;
|
2015-02-25 14:29:24 +01:00
|
|
|
|
|
2012-03-25 15:42:05 +00:00
|
|
|
|
};
|
2009-05-27 23:59:14 +00:00
|
|
|
|
}
|
