diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2014-04-22 16:07:53 +0200 |
---|---|---|
committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2014-04-22 17:38:54 +0200 |
commit | 03d9e5cda0db6d4b213f595d3320eb3b69818444 (patch) | |
tree | e5d12904948c86e3c5a30f7aab2238239c043fe7 /nixos | |
parent | 83b43cfe51a8283f790d9435971a1da7122d5074 (diff) | |
download | nixlib-03d9e5cda0db6d4b213f595d3320eb3b69818444.tar nixlib-03d9e5cda0db6d4b213f595d3320eb3b69818444.tar.gz nixlib-03d9e5cda0db6d4b213f595d3320eb3b69818444.tar.bz2 nixlib-03d9e5cda0db6d4b213f595d3320eb3b69818444.tar.lz nixlib-03d9e5cda0db6d4b213f595d3320eb3b69818444.tar.xz nixlib-03d9e5cda0db6d4b213f595d3320eb3b69818444.tar.zst nixlib-03d9e5cda0db6d4b213f595d3320eb3b69818444.zip |
sshd: Add support for socket activation
By enabling ‘services.openssh.startWhenNeeded’, sshd is started on-demand by systemd using socket activation. This is particularly useful if you have a zillion containers and don't want to have sshd running permanently. Note that socket activation is not noticeable slower, contrary to what the manpage for ‘sshd -i’ says, so we might want to make this the default one day.
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/networking/ssh/sshd.nix | 83 | ||||
-rw-r--r-- | nixos/modules/virtualisation/container-config.nix | 3 |
2 files changed, 61 insertions, 25 deletions
diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index d666b462d157..554cc6a1c3fc 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -86,6 +86,16 @@ in ''; }; + startWhenNeeded = mkOption { + type = types.bool; + default = false; + description = '' + If set, <command>sshd</command> is socket-activated; that + is, instead of having it permanently running as a daemon, + systemd will start an instance for each incoming connection. + ''; + }; + forwardX11 = mkOption { type = types.bool; default = cfgc.setXAuthLocation; @@ -248,37 +258,60 @@ in } ]; - systemd.services.sshd = - { description = "SSH Daemon"; - - wantedBy = [ "multi-user.target" ]; + systemd = + let + service = + { description = "SSH Daemon"; + + wantedBy = optional (!cfg.startWhenNeeded) "multi-user.target"; + + stopIfChanged = false; + + path = [ pkgs.openssh pkgs.gawk ]; + + environment.LD_LIBRARY_PATH = nssModulesPath; + + preStart = + '' + mkdir -m 0755 -p /etc/ssh + + ${flip concatMapStrings cfg.hostKeys (k: '' + if ! [ -f "${k.path}" ]; then + ssh-keygen -t "${k.type}" -b "${toString k.bits}" -f "${k.path}" -N "" + fi + '')} + ''; + + serviceConfig = + { ExecStart = + "${pkgs.openssh}/sbin/sshd " + (optionalString cfg.startWhenNeeded "-i ") + + "-f ${pkgs.writeText "sshd_config" cfg.extraConfig}"; + KillMode = "process"; + } // (if cfg.startWhenNeeded then { + StandardInput = "socket"; + } else { + Restart = "always"; + Type = "forking"; + PIDFile = "/run/sshd.pid"; + }); + }; + in - stopIfChanged = false; + if cfg.startWhenNeeded then { - path = [ pkgs.openssh pkgs.gawk ]; + sockets.sshd = + { description = "SSH Socket"; + wantedBy = [ "sockets.target" ]; + socketConfig.ListenStream = cfg.ports; + socketConfig.Accept = true; + }; - environment.LD_LIBRARY_PATH = nssModulesPath; + services."sshd@" = service; - preStart = - '' - mkdir -m 0755 -p /etc/ssh + } else { - ${flip concatMapStrings cfg.hostKeys (k: '' - if ! [ -f "${k.path}" ]; then - ssh-keygen -t "${k.type}" -b "${toString k.bits}" -f "${k.path}" -N "" - fi - '')} - ''; + services.sshd = service; - serviceConfig = - { ExecStart = - "${pkgs.openssh}/sbin/sshd " + - "-f ${pkgs.writeText "sshd_config" cfg.extraConfig}"; - Restart = "always"; - Type = "forking"; - KillMode = "process"; - PIDFile = "/run/sshd.pid"; - }; }; networking.firewall.allowedTCPPorts = cfg.ports; diff --git a/nixos/modules/virtualisation/container-config.nix b/nixos/modules/virtualisation/container-config.nix index 195a8056bf82..b81f97f2b4ec 100644 --- a/nixos/modules/virtualisation/container-config.nix +++ b/nixos/modules/virtualisation/container-config.nix @@ -12,6 +12,9 @@ with lib; networking.useHostResolvConf = true; + # Containers should be light-weight, so start sshd on demand. + services.openssh.startWhenNeeded = mkDefault true; + # Shut up warnings about not having a boot loader. system.build.installBootLoader = "${pkgs.coreutils}/bin/true"; |