diff options
author | Will Fancher <elvishjerricco@gmail.com> | 2024-03-29 00:24:00 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-03-29 00:24:00 -0400 |
commit | 7fc25040e209c2e30fd5580071eecc8786a7e58b (patch) | |
tree | 4a3010f42cedd36c80405d5d1e5c25fb880867c4 | |
parent | 9b09bde6e3fc9493b6a8b2a5702ac87c66505c64 (diff) | |
parent | 30036c3d109caff4a1ff8597b57f9b6953b975f5 (diff) | |
download | nixlib-7fc25040e209c2e30fd5580071eecc8786a7e58b.tar nixlib-7fc25040e209c2e30fd5580071eecc8786a7e58b.tar.gz nixlib-7fc25040e209c2e30fd5580071eecc8786a7e58b.tar.bz2 nixlib-7fc25040e209c2e30fd5580071eecc8786a7e58b.tar.lz nixlib-7fc25040e209c2e30fd5580071eecc8786a7e58b.tar.xz nixlib-7fc25040e209c2e30fd5580071eecc8786a7e58b.tar.zst nixlib-7fc25040e209c2e30fd5580071eecc8786a7e58b.zip |
Merge pull request #277759 from onny/initrd-keyfiles
nixos/initrd-ssh: Add authorizedKeyFiles option
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2405.section.md | 2 | ||||
-rw-r--r-- | nixos/modules/system/boot/initrd-ssh.nix | 30 |
2 files changed, 28 insertions, 4 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md index 01ba9038fa75..2909c40fa291 100644 --- a/nixos/doc/manual/release-notes/rl-2405.section.md +++ b/nixos/doc/manual/release-notes/rl-2405.section.md @@ -373,6 +373,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - The Matrix homeserver [Synapse](https://element-hq.github.io/synapse/) module now supports configuring UNIX domain socket [listeners](#opt-services.matrix-synapse.settings.listeners) through the `path` option. The default replication worker on the main instance has been migrated away from TCP sockets to UNIX domain sockets. +- The initrd ssh daemon module got a new option to add authorized keys via a list of files using `boot.initrd.network.ssh.authorizedKeyFiles`. + - Programs written in [Nim](https://nim-lang.org/) are built with libraries selected by lockfiles. The `nimPackages` and `nim2Packages` sets have been removed. See https://nixos.org/manual/nixpkgs/unstable#nim for more information. diff --git a/nixos/modules/system/boot/initrd-ssh.nix b/nixos/modules/system/boot/initrd-ssh.nix index 61e61f32bc5e..43da2496d16c 100644 --- a/nixos/modules/system/boot/initrd-ssh.nix +++ b/nixos/modules/system/boot/initrd-ssh.nix @@ -93,6 +93,21 @@ in defaultText = literalExpression "config.users.users.root.openssh.authorizedKeys.keys"; description = lib.mdDoc '' Authorized keys for the root user on initrd. + You can combine the `authorizedKeys` and `authorizedKeyFiles` options. + ''; + example = [ + "ssh-rsa AAAAB3NzaC1yc2etc/etc/etcjwrsh8e596z6J0l7 example@host" + "ssh-ed25519 AAAAC3NzaCetcetera/etceteraJZMfk3QPfQ foo@bar" + ]; + }; + + authorizedKeyFiles = mkOption { + type = types.listOf types.path; + default = config.users.users.root.openssh.authorizedKeys.keyFiles; + defaultText = literalExpression "config.users.users.root.openssh.authorizedKeys.keyFiles"; + description = lib.mdDoc '' + Authorized keys taken from files for the root user on initrd. + You can combine the `authorizedKeyFiles` and `authorizedKeys` options. ''; }; @@ -152,7 +167,7 @@ in in mkIf enabled { assertions = [ { - assertion = cfg.authorizedKeys != []; + assertion = cfg.authorizedKeys != [] || cfg.authorizedKeyFiles != []; message = "You should specify at least one authorized key for initrd SSH"; } @@ -206,6 +221,9 @@ in ${concatStrings (map (key: '' echo ${escapeShellArg key} >> /root/.ssh/authorized_keys '') cfg.authorizedKeys)} + ${concatStrings (map (keyFile: '' + cat ${keyFile} >> /root/.ssh/authorized_keys + '') cfg.authorizedKeyFiles)} ${flip concatMapStrings cfg.hostKeys (path: '' # keys from Nix store are world-readable, which sshd doesn't like @@ -236,9 +254,13 @@ in users.root.shell = mkIf (config.boot.initrd.network.ssh.shell != null) config.boot.initrd.network.ssh.shell; - contents."/etc/ssh/authorized_keys.d/root".text = - concatStringsSep "\n" config.boot.initrd.network.ssh.authorizedKeys; - contents."/etc/ssh/sshd_config".text = sshdConfig; + contents = { + "/etc/ssh/sshd_config".text = sshdConfig; + "/etc/ssh/authorized_keys.d/root".text = + concatStringsSep "\n" ( + config.boot.initrd.network.ssh.authorizedKeys ++ + (map (file: lib.fileContents file) config.boot.initrd.network.ssh.authorizedKeyFiles)); + }; storePaths = ["${package}/bin/sshd"]; services.sshd = { |