From e09c1aefe489d1cb2f057ed443eb47e21ef3e3d6 Mon Sep 17 00:00:00 2001
From: squat <lserven@gmail.com>
Date: Thu, 22 May 2025 20:22:47 +0200
Subject: [PATCH 1/2] feat(services.openssh): add extraConfig option

Same interface as in NixOS: https://search.nixos.org/options?channel=unstable&show=services.openssh.extraConfig&from=0&size=50&sort=relevance&type=packages&query=services.openssh.extraConfig
This is useful to customize the behavior of the SSH daemon, e.g. to add
options like `StreamLocalBindUnlink yes` to improve gpg-agent
forwarding.

Signed-off-by: squat <lserven@gmail.com>
---
 modules/services/openssh.nix | 27 ++++++++++++++++++++-------
 1 file changed, 20 insertions(+), 7 deletions(-)

diff --git a/modules/services/openssh.nix b/modules/services/openssh.nix
index 859f79d..8d782ed 100644
--- a/modules/services/openssh.nix
+++ b/modules/services/openssh.nix
@@ -5,14 +5,25 @@ let
 in
 {
   options = {
-    services.openssh.enable = lib.mkOption {
-      type = lib.types.nullOr lib.types.bool;
-      default = null;
-      description = ''
-        Whether to enable Apple's built-in OpenSSH server.
+    services.openssh = {
+      enable = lib.mkOption {
+        type = lib.types.nullOr lib.types.bool;
+        default = null;
+        description = ''
+          Whether to enable Apple's built-in OpenSSH server.
 
-        The default is null which means let macOS manage the OpenSSH server.
-      '';
+          The default is null which means let macOS manage the OpenSSH server.
+        '';
+      };
+
+      extraConfig = lib.mkOption {
+        type = lib.types.lines;
+        default = "";
+        description = ''
+          Extra configuration text loaded in {file}`sshd_config`.
+          See {manpage}`sshd_config(5)` for help.
+        '';
+      };
     };
   };
 
@@ -29,5 +40,7 @@ in
         launchctl disable system/com.openssh.sshd
       fi
     '');
+
+    environment.etc."ssh/sshd_config.d/100-nix-darwin.conf".text = cfg.extraConfig;
   };
 }

From 0e3b855456ca38cc2c23cf24eade14b43b72032a Mon Sep 17 00:00:00 2001
From: squat <lserven@gmail.com>
Date: Fri, 23 May 2025 02:58:23 +0200
Subject: [PATCH 2/2] add test

Signed-off-by: squat <lserven@gmail.com>
---
 release.nix                |  1 +
 tests/services-openssh.nix | 12 ++++++++++++
 2 files changed, 13 insertions(+)
 create mode 100644 tests/services-openssh.nix

diff --git a/release.nix b/release.nix
index eaf3004..548c04d 100644
--- a/release.nix
+++ b/release.nix
@@ -111,6 +111,7 @@ in {
   tests.services-netdata = makeTest ./tests/services-netdata.nix;
   tests.services-ofborg = makeTest ./tests/services-ofborg.nix;
   tests.services-offlineimap = makeTest ./tests/services-offlineimap.nix;
+  tests.services-openssh = makeTest ./tests/services-openssh.nix;
   tests.services-privoxy = makeTest ./tests/services-privoxy.nix;
   tests.services-redis = makeTest ./tests/services-redis.nix;
   tests.services-skhd = makeTest ./tests/services-skhd.nix;
diff --git a/tests/services-openssh.nix b/tests/services-openssh.nix
new file mode 100644
index 0000000..5f61481
--- /dev/null
+++ b/tests/services-openssh.nix
@@ -0,0 +1,12 @@
+{ config, pkgs, ... }:
+
+{
+  services.openssh.extraConfig = ''
+    StreamLocalBindUnlink yes
+  '';
+
+  test = ''
+    echo >&2 "checking for StreamLocalBindUnlink in /etc/ssh/ssh_known_hosts"
+    grep 'StreamLocalBindUnlink yes' ${config.out}/etc/ssh/sshd_config.d/100-nix-darwin.conf
+  '';
+}