pyrox.dev / nixpkgs
lol
fork atom

nixos/services.openssh: Allow knownHost keys to have multiple lines.

Useful for adding several public keys of different types for the same host.

Rickard Nilsson 77ff279f 6f319055

options
unified split
Changed files
+14 -7
nixos
modules
services
networking
ssh
sshd.nix
+14 -7
nixos/modules/services/networking/ssh/sshd.nix 
···

       
17

       
 

       



     

       
18

       
 

       
  knownHosts = map (h: getAttr h cfg.knownHosts) (attrNames cfg.knownHosts);


     

       
19

       
 

       



     

       
20

       
-

       
  knownHostsFile = pkgs.writeText "ssh_known_hosts" (


     

       
21

       
-

       
    flip concatMapStrings knownHosts (h: ''


     

       
22

       
-

       
      ${concatStringsSep "," h.hostNames} ${if h.publicKey != null then h.publicKey else readFile h.publicKeyFile}


     

       
23

       
-

       
    '')


     

       
24

       
-

       
  );


     

       

       

       
     

       

       

       
     

       
25

       
 

       



     

       
26

       
 

       
  userOptions = {


     

       
27

       
 

       



     
···

       
254

       
 

       
            description = ''


     

       
255

       
 

       
              The public key data for the host. You can fetch a public key


     

       
256

       
 

       
              from a running SSH server with the <command>ssh-keyscan</command>


     

       
257

       
-

       
              command.


     

       

       

       
     

       

       

       
     

       

       

       
     

       
258

       
 

       
            '';


     

       
259

       
 

       
          };


     

       
260

       
 

       
          publicKeyFile = mkOption {


     
···

       
264

       
 

       
              The path to the public key file for the host. The public


     

       
265

       
 

       
              key file is read at build time and saved in the Nix store.


     

       
266

       
 

       
              You can fetch a public key file from a running SSH server


     

       
267

       
-

       
              with the <command>ssh-keyscan</command> command.


     

       

       

       
     

       

       

       
     

       
268

       
 

       
            '';


     

       
269

       
 

       
          };


     

       
270

       
 

       
        };


     
···

       
17

       
 

       



     

       
18

       
 

       
  knownHosts = map (h: getAttr h cfg.knownHosts) (attrNames cfg.knownHosts);


     

       
19

       
 

       



     

       
20

       
+

       
  knownHostsFile = pkgs.runCommand "ssh_known_hosts" {} ''


     

       
21

       
+

       
    #!${pkgs.bash}/bin/bash


     

       
22

       
+

       
    ${flip concatMapStrings knownHosts (h: ''


     

       
23

       
+

       
      pubkeyfile=${builtins.toFile "host.pub" (if h.publicKey == null then readFile h.publicKeyFile else h.publicKey)}


     

       
24

       
+

       
      ${pkgs.gnused}/bin/sed 's/^/${concatStringsSep "," h.hostNames} /' $pubkeyfile >> $out


     

       
25

       
+

       
    '')}


     

       
26

       
+

       
  '';


     

       
27

       
 

       



     

       
28

       
 

       
  userOptions = {


     

       
29

       
 

       



     
···

       
256

       
 

       
            description = ''


     

       
257

       
 

       
              The public key data for the host. You can fetch a public key


     

       
258

       
 

       
              from a running SSH server with the <command>ssh-keyscan</command>


     

       
259

       
+

       
              command. The public key should not include any host names, only


     

       
260

       
+

       
              the key type and the key itself. It is allowed to add several


     

       
261

       
+

       
              lines here, each line will be treated as type/key pair and the


     

       
262

       
+

       
              host names will be prepended to each line.


     

       
263

       
 

       
            '';


     

       
264

       
 

       
          };


     

       
265

       
 

       
          publicKeyFile = mkOption {


     
···

       
269

       
 

       
              The path to the public key file for the host. The public


     

       
270

       
 

       
              key file is read at build time and saved in the Nix store.


     

       
271

       
 

       
              You can fetch a public key file from a running SSH server


     

       
272

       
+

       
              with the <command>ssh-keyscan</command> command. The content


     

       
273

       
+

       
              of the file should follow the same format as described for


     

       
274

       
+

       
              the <literal>publicKey</literal> option.


     

       
275

       
 

       
            '';


     

       
276

       
 

       
          };


     

       
277

       
 

       
        };