From 1f08575e3aed1e7adb0a24c47d9919c10cae01d7 Mon Sep 17 00:00:00 2001
From: nicoo <nicoo@mur.at>
Date: Tue, 9 Jan 2024 23:50:13 +0000
Subject: [PATCH] nixos/sshd: Disable `authorizedKeysInHomedir` if
 `stateVersion` >= 24.11

Co-authored-by: Valentin Gagarin <valentin@gagarin.work>
---
 nixos/doc/manual/release-notes/rl-2411.section.md |  3 +++
 nixos/modules/services/networking/ssh/sshd.nix    |  3 ++-
 nixos/tests/openssh.nix                           | 11 +++++++++--
 3 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md
index 1b0c29f3809f..dbcfecac6922 100644
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@@ -390,6 +390,9 @@
     * from `/var/log/private/gns3` to `/var/log/gns3`
   and to change the ownership of these directories and their contents to `gns3` (including `/etc/gns3`).
 
+- The `sshd` module now doesn't include `%h/.ssh/authorized_keys` as `AuthorizedKeysFile` unless
+  `services.openssh.authorizedKeysInHomedir` is set to `true` (the default is `false` for `stateVersion` 24.11 onwards).
+
 - Legacy package `stalwart-mail_0_6` was dropped, please note the
   [manual upgrade process](https://github.com/stalwartlabs/mail-server/blob/main/UPGRADING.md)
   before changing the package to `pkgs.stalwart-mail` in
diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix
index 26ca39f73d39..b968da777a44 100644
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@@ -302,7 +302,8 @@ in
 
       authorizedKeysInHomedir = lib.mkOption {
         type = lib.types.bool;
-        default = true;
+        default = lib.versionOlder config.system.stateVersion "24.11";
+        defaultText = lib.literalMD "`false` unless [](#opt-system.stateVersion) is 24.05 or older";
         description = ''
           Enables the use of the `~/.ssh/authorized_keys` file.
 
diff --git a/nixos/tests/openssh.nix b/nixos/tests/openssh.nix
index d420c482ca7f..b4aacd60c81b 100644
--- a/nixos/tests/openssh.nix
+++ b/nixos/tests/openssh.nix
@@ -14,7 +14,10 @@ in {
       { ... }:
 
       {
-        services.openssh.enable = true;
+        services.openssh = {
+          enable = true;
+          authorizedKeysInHomedir = true;
+        };
         security.pam.services.sshd.limits =
           [ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ];
         users.users.root.openssh.authorizedKeys.keys = [
@@ -39,7 +42,11 @@ in {
       { ... }:
 
       {
-        services.openssh = { enable = true; startWhenNeeded = true; };
+        services.openssh = {
+          enable = true;
+          startWhenNeeded = true;
+          authorizedKeysInHomedir = true;
+        };
         security.pam.services.sshd.limits =
           [ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ];
         users.users.root.openssh.authorizedKeys.keys = [