Rename services.openssh.knownHosts -> programs.ssh.knownHosts

This option configures the SSH client, not the server.
2025-06-11 12:15:34 +03:00 · 2015-08-27 15:24:14 +02:00 · 2015-08-27 15:24:14 +02:00 · 287c08d8a3
commit 287c08d8a3
parent f15270833a
3 changed files with 75 additions and 79 deletions
--- a/nixos/modules/programs/ssh.nix
+++ b/nixos/modules/programs/ssh.nix
@ -18,6 +18,14 @@ let
      exec ${askPassword}
    '';

+  knownHosts = map (h: getAttr h cfg.knownHosts) (attrNames cfg.knownHosts);
+
+  knownHostsText = flip (concatMapStringsSep "\n") knownHosts
+    (h:
+      concatStringsSep "," h.hostNames + " "
+      + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
+    );
+
 in
 {
  ###### interface
@ -92,16 +100,72 @@ in
        '';
      };

+      knownHosts = mkOption {
+        default = {};
+        type = types.loaOf types.optionSet;
+        description = ''
+          The set of system-wide known SSH hosts.
+        '';
+        example = [
+          {
+            hostNames = [ "myhost" "myhost.mydomain.com" "10.10.1.4" ];
+            publicKeyFile = literalExample "./pubkeys/myhost_ssh_host_dsa_key.pub";
+          }
+          {
+            hostNames = [ "myhost2" ];
+            publicKeyFile = literalExample "./pubkeys/myhost2_ssh_host_dsa_key.pub";
+          }
+        ];
+        options = {
+          hostNames = mkOption {
+            type = types.listOf types.str;
+            default = [];
+            description = ''
+              A list of host names and/or IP numbers used for accessing
+              the host's ssh service.
+            '';
+          };
+          publicKey = mkOption {
+            default = null;
+            type = types.nullOr types.str;
+            example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg==";
+            description = ''
+              The public key data for the host. You can fetch a public key
+              from a running SSH server with the <command>ssh-keyscan</command>
+              command. The public key should not include any host names, only
+              the key type and the key itself.
+            '';
+          };
+          publicKeyFile = mkOption {
+            default = null;
+            type = types.nullOr types.path;
+            description = ''
+              The path to the public key file for the host. The public
+              key file is read at build time and saved in the Nix store.
+              You can fetch a public key file from a running SSH server
+              with the <command>ssh-keyscan</command> command. The content
+              of the file should follow the same format as described for
+              the <literal>publicKey</literal> option.
+            '';
+          };
+        };
+      };
+
    };

  };

  config = {

-    assertions = singleton
-      { assertion = cfg.forwardX11 -> cfg.setXAuthLocation;
-        message = "cannot enable X11 forwarding without setting XAuth location";
-      };
+    assertions =
+      [ { assertion = cfg.forwardX11 -> cfg.setXAuthLocation;
+          message = "cannot enable X11 forwarding without setting XAuth location";
+        }
+      ] ++ flip mapAttrsToList cfg.knownHosts (name: data: {
+        assertion = (data.publicKey == null && data.publicKeyFile != null) ||
+                    (data.publicKey != null && data.publicKeyFile == null);
+        message = "knownHost ${name} must contain either a publicKey or publicKeyFile";
+      });

    # SSH configuration. Slight duplication of the sshd_config
    # generation in the sshd service.
@ -118,6 +182,8 @@ in
        ${cfg.extraConfig}
      '';

+    environment.etc."ssh/ssh_known_hosts".text = knownHostsText;
+
    # FIXME: this should really be socket-activated for über-awesomeness.
    systemd.user.services.ssh-agent =
      { enable = cfg.startAgent;