From 04b04f4b9dcf037ac3feda91d617c3f44b603007 Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Thu, 19 Jun 2025 10:38:39 +0700 Subject: [PATCH 1/5] programs/ssh: move to match path in NixOS --- modules/module-list.nix | 2 +- modules/programs/{ssh/default.nix => ssh.nix} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename modules/programs/{ssh/default.nix => ssh.nix} (100%) diff --git a/modules/module-list.nix b/modules/module-list.nix index ff57502..e31cf24 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -113,7 +113,7 @@ ./programs/man.nix ./programs/info ./programs/nix-index - ./programs/ssh + ./programs/ssh.nix ./programs/tmux.nix ./programs/vim.nix ./programs/zsh diff --git a/modules/programs/ssh/default.nix b/modules/programs/ssh.nix similarity index 100% rename from modules/programs/ssh/default.nix rename to modules/programs/ssh.nix From 2d257c09a1bdcaadf1574e0c6f2f284ee457602d Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Thu, 19 Jun 2025 10:25:52 +0700 Subject: [PATCH 2/5] programs.ssh.knownHosts: update example to be an attrset Backport https://github.com/NixOS/nixpkgs/commit/4f11c06fac92bc19b764a9248df416f20ff5ad03 Co-authored-by: Florian Klink --- modules/programs/ssh.nix | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/programs/ssh.nix b/modules/programs/ssh.nix index 1e87732..93c79fd 100644 --- a/modules/programs/ssh.nix +++ b/modules/programs/ssh.nix @@ -130,16 +130,16 @@ in The set of system-wide known SSH hosts. ''; example = literalExpression '' - [ - { + { + myhost = { hostNames = [ "myhost" "myhost.mydomain.com" "10.10.1.4" ]; publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub; - } - { + }; + myhost2 = { hostNames = [ "myhost2" ]; publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub; - } - ] + }; + } ''; }; }; From 9d5b27bc93a3c845f4e834182c1112b34ead7ffe Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Thu, 19 Jun 2025 10:25:23 +0700 Subject: [PATCH 3/5] modules/programs/ssh: knownHosts -> extraKnownHosts Backport https://github.com/NixOS/nixpkgs/commit/8fa2e787f1400fd636983c9865ce0ef6cd3d193d Co-authored-by: Taeer Bar-Yam --- modules/programs/ssh.nix | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/modules/programs/ssh.nix b/modules/programs/ssh.nix index 93c79fd..0ac2e7c 100644 --- a/modules/programs/ssh.nix +++ b/modules/programs/ssh.nix @@ -5,10 +5,10 @@ with lib; let cfg = config.programs.ssh; - knownHosts = map (h: getAttr h cfg.knownHosts) (attrNames cfg.knownHosts); + knownHosts = attrValues cfg.knownHosts; host = - { name, ... }: + { name, config, ... }: { options = { certAuthority = lib.mkOption { @@ -21,12 +21,21 @@ let }; hostNames = mkOption { type = types.listOf types.str; - default = []; + default = [ name ] ++ config.extraHostNames; description = '' + DEPRECATED, please use extraHostNames. A list of host names and/or IP numbers used for accessing the host's ssh service. ''; }; + extraHostNames = mkOption { + type = types.listOf types.str; + default = []; + description = '' + A list of additional host names and/or IP numbers used for + accessing the host's ssh service. + ''; + }; publicKey = mkOption { default = null; type = types.nullOr types.str; @@ -51,9 +60,6 @@ let ''; }; }; - config = { - hostNames = mkDefault [ name ]; - }; }; # Taken from: https://github.com/NixOS/nixpkgs/blob/f4aa6afa5f934ece2d1eb3157e392d056be01617/nixos/modules/services/networking/ssh/sshd.nix#L46-L93 userOptions = { @@ -132,13 +138,10 @@ in example = literalExpression '' { myhost = { - hostNames = [ "myhost" "myhost.mydomain.com" "10.10.1.4" ]; + extraHostNames = [ "myhost.mydomain.com" "10.10.1.4" ]; publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub; }; - myhost2 = { - hostNames = [ "myhost2" ]; - publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub; - }; + "myhost2.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIRuJ8p1Fi+m6WkHV0KWnRfpM1WxoW8XAS+XvsSKsTK"; } ''; }; @@ -152,6 +155,9 @@ in message = "knownHost ${name} must contain either a publicKey or publicKeyFile"; }); + warnings = mapAttrsToList (name: _: ''programs.ssh.knownHosts.${name}.hostNames is deprecated use programs.ssh.knownHosts.${name}.extraHostNames'') + (filterAttrs (name: {hostNames, extraHostNames, ...}: hostNames != [ name ] ++ extraHostNames) cfg.knownHosts); + environment.etc = authKeysFiles // { "ssh/ssh_known_hosts" = mkIf (builtins.length knownHosts > 0) { text = (flip (concatMapStringsSep "\n") knownHosts From a991859d1f404e89875e744517fc79bb79f8e0ff Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Thu, 19 Jun 2025 10:28:27 +0700 Subject: [PATCH 4/5] =?UTF-8?q?nixos/ssh:=20undeprecate=20knownHosts.?= =?UTF-8?q?=C2=ABname=C2=BB.hostNames?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Backport https://github.com/NixOS/nixpkgs/commit/e9f17a9f45e8466b34be1fededb70713b13d901c Co-authored-by: pennae --- modules/programs/ssh.nix | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/modules/programs/ssh.nix b/modules/programs/ssh.nix index 0ac2e7c..61bce34 100644 --- a/modules/programs/ssh.nix +++ b/modules/programs/ssh.nix @@ -23,9 +23,12 @@ let type = types.listOf types.str; default = [ name ] ++ config.extraHostNames; description = '' - DEPRECATED, please use extraHostNames. - A list of host names and/or IP numbers used for accessing - the host's ssh service. + The set of system-wide known SSH hosts. To make simple setups more + convenient the name of an attribute in this set is used as a host name + for the entry. This behaviour can be disabled by setting + `hostNames` explicitly. You can use + `extraHostNames` to add additional host names without + disabling this default. ''; }; extraHostNames = mkOption { @@ -33,7 +36,8 @@ let default = []; description = '' A list of additional host names and/or IP numbers used for - accessing the host's ssh service. + accessing the host's ssh service. This list is ignored if + `hostNames` is set explicitly. ''; }; publicKey = mkOption { @@ -133,7 +137,12 @@ in default = {}; type = types.attrsOf (types.submodule host); description = '' - The set of system-wide known SSH hosts. + The set of system-wide known SSH hosts. To make simple setups more + convenient the name of an attribute in this set is used as a host name + for the entry. This behaviour can be disabled by setting + `hostNames` explicitly. You can use + `extraHostNames` to add additional host names without + disabling this default. ''; example = literalExpression '' { @@ -142,6 +151,10 @@ in publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub; }; "myhost2.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIRuJ8p1Fi+m6WkHV0KWnRfpM1WxoW8XAS+XvsSKsTK"; + "myhost2.net/dsa" = { + hostNames = [ "myhost2.net" ]; + publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub; + }; } ''; }; @@ -155,9 +168,6 @@ in message = "knownHost ${name} must contain either a publicKey or publicKeyFile"; }); - warnings = mapAttrsToList (name: _: ''programs.ssh.knownHosts.${name}.hostNames is deprecated use programs.ssh.knownHosts.${name}.extraHostNames'') - (filterAttrs (name: {hostNames, extraHostNames, ...}: hostNames != [ name ] ++ extraHostNames) cfg.knownHosts); - environment.etc = authKeysFiles // { "ssh/ssh_known_hosts" = mkIf (builtins.length knownHosts > 0) { text = (flip (concatMapStringsSep "\n") knownHosts From 82566dd25414241193275f49a645680b23a4c107 Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Thu, 19 Jun 2025 10:52:01 +0700 Subject: [PATCH 5/5] programs/ssh: remove `with lib;` --- modules/programs/ssh.nix | 62 +++++++++++++++++++--------------------- 1 file changed, 30 insertions(+), 32 deletions(-) diff --git a/modules/programs/ssh.nix b/modules/programs/ssh.nix index 61bce34..0a7233e 100644 --- a/modules/programs/ssh.nix +++ b/modules/programs/ssh.nix @@ -1,11 +1,9 @@ { config, lib, ... }: -with lib; - let cfg = config.programs.ssh; - knownHosts = attrValues cfg.knownHosts; + knownHosts = builtins.attrValues cfg.knownHosts; host = { name, config, ... }: @@ -19,8 +17,8 @@ let individual host's key. ''; }; - hostNames = mkOption { - type = types.listOf types.str; + hostNames = lib.mkOption { + type = lib.types.listOf lib.types.str; default = [ name ] ++ config.extraHostNames; description = '' The set of system-wide known SSH hosts. To make simple setups more @@ -31,8 +29,8 @@ let disabling this default. ''; }; - extraHostNames = mkOption { - type = types.listOf types.str; + extraHostNames = lib.mkOption { + type = lib.types.listOf lib.types.str; default = []; description = '' A list of additional host names and/or IP numbers used for @@ -40,9 +38,9 @@ let `hostNames` is set explicitly. ''; }; - publicKey = mkOption { + publicKey = lib.mkOption { default = null; - type = types.nullOr types.str; + type = lib.types.nullOr lib.types.str; example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg=="; description = '' The public key data for the host. You can fetch a public key @@ -51,9 +49,9 @@ let the key type and the key itself. ''; }; - publicKeyFile = mkOption { + publicKeyFile = lib.mkOption { default = null; - type = types.nullOr types.path; + type = lib.types.nullOr lib.types.path; description = '' The path to the public key file for the host. The public key file is read at build time and saved in the Nix store. @@ -69,8 +67,8 @@ let userOptions = { options.openssh.authorizedKeys = { - keys = mkOption { - type = types.listOf types.str; + keys = lib.mkOption { + type = lib.types.listOf lib.types.str; default = []; description = '' A list of verbatim OpenSSH public keys that should be added to the @@ -83,8 +81,8 @@ let ''; }; - keyFiles = mkOption { - type = types.listOf types.path; + keyFiles = lib.mkOption { + type = lib.types.listOf lib.types.path; default = []; description = '' A list of files each containing one OpenSSH public key that should be @@ -99,29 +97,29 @@ let }; authKeysFiles = let - mkAuthKeyFile = u: nameValuePair "ssh/nix_authorized_keys.d/${u.name}" { + mkAuthKeyFile = u: lib.nameValuePair "ssh/nix_authorized_keys.d/${u.name}" { text = '' - ${concatStringsSep "\n" u.openssh.authorizedKeys.keys} - ${concatMapStrings (f: readFile f + "\n") u.openssh.authorizedKeys.keyFiles} + ${builtins.concatStringsSep "\n" u.openssh.authorizedKeys.keys} + ${lib.concatMapStrings (f: builtins.readFile f + "\n") u.openssh.authorizedKeys.keyFiles} ''; }; - usersWithKeys = attrValues (flip filterAttrs config.users.users (n: u: - length u.openssh.authorizedKeys.keys != 0 || length u.openssh.authorizedKeys.keyFiles != 0 + usersWithKeys = builtins.attrValues (lib.flip lib.filterAttrs config.users.users (n: u: + lib.length u.openssh.authorizedKeys.keys != 0 || lib.length u.openssh.authorizedKeys.keyFiles != 0 )); - in listToAttrs (map mkAuthKeyFile usersWithKeys); + in lib.listToAttrs (map mkAuthKeyFile usersWithKeys); oldAuthorizedKeysHash = "5a5dc1e20e8abc162ad1cc0259bfd1dbb77981013d87625f97d9bd215175fc0a"; in { imports = [ - (mkRemovedOptionModule [ "services" "openssh" "authorizedKeysFiles" ] "No `nix-darwin` equivalent to this NixOS option.") + (lib.mkRemovedOptionModule [ "services" "openssh" "authorizedKeysFiles" ] "No `nix-darwin` equivalent to this NixOS option.") ]; options = { - users.users = mkOption { - type = with types; attrsOf (submodule userOptions); + users.users = lib.mkOption { + type = with lib.types; attrsOf (submodule userOptions); }; programs.ssh.extraConfig = lib.mkOption { @@ -133,9 +131,9 @@ in ''; }; - programs.ssh.knownHosts = mkOption { + programs.ssh.knownHosts = lib.mkOption { default = {}; - type = types.attrsOf (types.submodule host); + type = lib.types.attrsOf (lib.types.submodule host); description = '' The set of system-wide known SSH hosts. To make simple setups more convenient the name of an attribute in this set is used as a host name @@ -144,7 +142,7 @@ in `extraHostNames` to add additional host names without disabling this default. ''; - example = literalExpression '' + example = lib.literalExpression '' { myhost = { extraHostNames = [ "myhost.mydomain.com" "10.10.1.4" ]; @@ -162,18 +160,18 @@ in config = { - assertions = flip mapAttrsToList cfg.knownHosts (name: data: { + assertions = lib.flip lib.mapAttrsToList cfg.knownHosts (name: data: { assertion = (data.publicKey == null && data.publicKeyFile != null) || (data.publicKey != null && data.publicKeyFile == null); message = "knownHost ${name} must contain either a publicKey or publicKeyFile"; }); environment.etc = authKeysFiles // - { "ssh/ssh_known_hosts" = mkIf (builtins.length knownHosts > 0) { - text = (flip (concatMapStringsSep "\n") knownHosts + { "ssh/ssh_known_hosts" = lib.mkIf (builtins.length knownHosts > 0) { + text = (lib.flip (lib.concatMapStringsSep "\n") knownHosts (h: assert h.hostNames != []; - lib.optionalString h.certAuthority "@cert-authority " + concatStringsSep "," h.hostNames + " " - + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile) + lib.optionalString h.certAuthority "@cert-authority " + builtins.concatStringsSep "," h.hostNames + " " + + (if h.publicKey != null then h.publicKey else builtins.readFile h.publicKeyFile) )) + "\n"; }; "ssh/ssh_config.d/100-nix-darwin.conf".text = config.programs.ssh.extraConfig;