diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2015-08-27 15:24:14 +0200 |
---|---|---|
committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2015-08-27 15:32:46 +0200 |
commit | 287c08d8a319fc454e3d1ce90510f7a53e9d4e5d (patch) | |
tree | db4d2bec31235cf35155c86314ea5d563dbdfea6 /nixos/modules/programs/ssh.nix | |
parent | f15270833ad3e843619fc953e4b28e2d9499b3f2 (diff) | |
download | nixlib-287c08d8a319fc454e3d1ce90510f7a53e9d4e5d.tar nixlib-287c08d8a319fc454e3d1ce90510f7a53e9d4e5d.tar.gz nixlib-287c08d8a319fc454e3d1ce90510f7a53e9d4e5d.tar.bz2 nixlib-287c08d8a319fc454e3d1ce90510f7a53e9d4e5d.tar.lz nixlib-287c08d8a319fc454e3d1ce90510f7a53e9d4e5d.tar.xz nixlib-287c08d8a319fc454e3d1ce90510f7a53e9d4e5d.tar.zst nixlib-287c08d8a319fc454e3d1ce90510f7a53e9d4e5d.zip |
Rename services.openssh.knownHosts -> programs.ssh.knownHosts
This option configures the SSH client, not the server.
Diffstat (limited to 'nixos/modules/programs/ssh.nix')
-rw-r--r-- | nixos/modules/programs/ssh.nix | 74 |
1 files changed, 70 insertions, 4 deletions
diff --git a/nixos/modules/programs/ssh.nix b/nixos/modules/programs/ssh.nix index d3183f7d2dc7..e9ad47adec9e 100644 --- a/nixos/modules/programs/ssh.nix +++ b/nixos/modules/programs/ssh.nix @@ -18,6 +18,14 @@ let exec ${askPassword} ''; + knownHosts = map (h: getAttr h cfg.knownHosts) (attrNames cfg.knownHosts); + + knownHostsText = flip (concatMapStringsSep "\n") knownHosts + (h: + concatStringsSep "," h.hostNames + " " + + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile) + ); + in { ###### interface @@ -92,16 +100,72 @@ in ''; }; + knownHosts = mkOption { + default = {}; + type = types.loaOf types.optionSet; + description = '' + The set of system-wide known SSH hosts. + ''; + example = [ + { + hostNames = [ "myhost" "myhost.mydomain.com" "10.10.1.4" ]; + publicKeyFile = literalExample "./pubkeys/myhost_ssh_host_dsa_key.pub"; + } + { + hostNames = [ "myhost2" ]; + publicKeyFile = literalExample "./pubkeys/myhost2_ssh_host_dsa_key.pub"; + } + ]; + options = { + hostNames = mkOption { + type = types.listOf types.str; + default = []; + description = '' + A list of host names and/or IP numbers used for accessing + the host's ssh service. + ''; + }; + publicKey = mkOption { + default = null; + type = types.nullOr types.str; + example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg=="; + description = '' + The public key data for the host. You can fetch a public key + from a running SSH server with the <command>ssh-keyscan</command> + command. The public key should not include any host names, only + the key type and the key itself. + ''; + }; + publicKeyFile = mkOption { + default = null; + type = types.nullOr types.path; + description = '' + The path to the public key file for the host. The public + key file is read at build time and saved in the Nix store. + You can fetch a public key file from a running SSH server + with the <command>ssh-keyscan</command> command. The content + of the file should follow the same format as described for + the <literal>publicKey</literal> option. + ''; + }; + }; + }; + }; }; config = { - assertions = singleton - { assertion = cfg.forwardX11 -> cfg.setXAuthLocation; - message = "cannot enable X11 forwarding without setting XAuth location"; - }; + assertions = + [ { assertion = cfg.forwardX11 -> cfg.setXAuthLocation; + message = "cannot enable X11 forwarding without setting XAuth location"; + } + ] ++ flip mapAttrsToList cfg.knownHosts (name: data: { + assertion = (data.publicKey == null && data.publicKeyFile != null) || + (data.publicKey != null && data.publicKeyFile == null); + message = "knownHost ${name} must contain either a publicKey or publicKeyFile"; + }); # SSH configuration. Slight duplication of the sshd_config # generation in the sshd service. @@ -118,6 +182,8 @@ in ${cfg.extraConfig} ''; + environment.etc."ssh/ssh_known_hosts".text = knownHostsText; + # FIXME: this should really be socket-activated for über-awesomeness. systemd.user.services.ssh-agent = { enable = cfg.startAgent; |