summary refs log tree commit diff
path: root/nixos/modules/programs/ssh.nix
diff options
context:
space:
mode:
Diffstat (limited to 'nixos/modules/programs/ssh.nix')
-rw-r--r--nixos/modules/programs/ssh.nix75
1 files changed, 75 insertions, 0 deletions
diff --git a/nixos/modules/programs/ssh.nix b/nixos/modules/programs/ssh.nix
new file mode 100644
index 000000000000..a66679dff90d
--- /dev/null
+++ b/nixos/modules/programs/ssh.nix
@@ -0,0 +1,75 @@
+# Global configuration for the SSH client.
+
+{ config, pkgs, ... }:
+
+with pkgs.lib;
+
+let cfg  = config.programs.ssh;
+    cfgd = config.services.openssh;
+
+in
+{
+  ###### interface
+
+  options = {
+
+    programs.ssh = {
+
+      forwardX11 = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to request X11 forwarding on outgoing connections by default.
+          This is useful for running graphical programs on the remote machine and have them display to your local X11 server.
+          Historically, this value has depended on the value used by the local sshd daemon, but there really isn't a relation between the two.
+          Note: there are some security risks to forwarding an X11 connection.
+          NixOS's X server is built with the SECURITY extension, which prevents some obvious attacks.
+          To enable or disable forwarding on a per-connection basis, see the -X and -x options to ssh.
+          The -Y option to ssh enables trusted forwarding, which bypasses the SECURITY extension.
+        '';
+      };
+
+      setXAuthLocation = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          Whether to set the path to <command>xauth</command> for X11-forwarded connections.
+          This causes a dependency on X11 packages.
+        '';
+      };
+
+      extraConfig = mkOption {
+        type = types.lines;
+        default = "";
+        description = ''
+          Extra configuration text appended to <filename>ssh_config</filename>.
+          See <citerefentry><refentrytitle>ssh_config</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+          for help.
+        '';
+      };
+    };
+  };
+
+  config = {
+
+    assertions = singleton
+      { assertion = cfg.forwardX11 -> cfg.setXAuthLocation;
+        message = "cannot enable X11 forwarding without setting XAuth location";
+      };
+
+    environment.etc =
+      [ { # SSH configuration.  Slight duplication of the sshd_config
+          # generation in the sshd service.
+          source = pkgs.writeText "ssh_config" ''
+            AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}
+            ${optionalString cfg.setXAuthLocation ''
+              XAuthLocation ${pkgs.xorg.xauth}/bin/xauth
+            ''}
+            ForwardX11 ${if cfg.forwardX11 then "yes" else "no"}
+            ${cfg.extraConfig}
+          '';
+          target = "ssh/ssh_config";
+        }
+      ];
+  };
+}
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-08-07 07:05:48 +0000