···

       
373
       
373
       
 
       
- The Matrix homeserver [Synapse](https://element-hq.github.io/synapse/) module now supports configuring UNIX domain socket [listeners](#opt-services.matrix-synapse.settings.listeners) through the `path` option.

     

       
374
       
374
       
 
       
  The default replication worker on the main instance has been migrated away from TCP sockets to UNIX domain sockets.

     

       
375
       
375
       
 
       


     

       
376
       
376
       
+
       
- The initrd ssh daemon module got a new option to add authorized keys via a list of files using `boot.initrd.network.ssh.authorizedKeyFiles`.

     

       
377
       
377
       
+
       


     

       
376
       
378
       
 
       
- Programs written in [Nim](https://nim-lang.org/) are built with libraries selected by lockfiles.

     

       
377
       
379
       
 
       
  The `nimPackages` and `nim2Packages` sets have been removed.

     

       
378
       
380
       
 
       
  See https://nixos.org/manual/nixpkgs/unstable#nim for more information.

     

···

       
93
       
93
       
 
       
      defaultText = literalExpression "config.users.users.root.openssh.authorizedKeys.keys";

     

       
94
       
94
       
 
       
      description = lib.mdDoc ''

     

       
95
       
95
       
 
       
        Authorized keys for the root user on initrd.

     

       
96
       
96
       
+
       
        You can combine the `authorizedKeys` and `authorizedKeyFiles` options.

     

       
97
       
97
       
+
       
      '';

     

       
98
       
98
       
+
       
      example = [

     

       
99
       
99
       
+
       
        "ssh-rsa AAAAB3NzaC1yc2etc/etc/etcjwrsh8e596z6J0l7 example@host"

     

       
100
       
100
       
+
       
        "ssh-ed25519 AAAAC3NzaCetcetera/etceteraJZMfk3QPfQ foo@bar"

     

       
101
       
101
       
+
       
      ];

     

       
102
       
102
       
+
       
    };

     

       
103
       
103
       
+
       


     

       
104
       
104
       
+
       
    authorizedKeyFiles = mkOption {

     

       
105
       
105
       
+
       
      type = types.listOf types.path;

     

       
106
       
106
       
+
       
      default = config.users.users.root.openssh.authorizedKeys.keyFiles;

     

       
107
       
107
       
+
       
      defaultText = literalExpression "config.users.users.root.openssh.authorizedKeys.keyFiles";

     

       
108
       
108
       
+
       
      description = lib.mdDoc ''

     

       
109
       
109
       
+
       
        Authorized keys taken from files for the root user on initrd.

     

       
110
       
110
       
+
       
        You can combine the `authorizedKeyFiles` and `authorizedKeys` options.

     

       
96
       
111
       
 
       
      '';

     

       
97
       
112
       
 
       
    };

     

       
98
       
113
       
 
       


     
···

       
152
       
167
       
 
       
  in mkIf enabled {

     

       
153
       
168
       
 
       
    assertions = [

     

       
154
       
169
       
 
       
      {

     

       
155
       
155
       
-
       
        assertion = cfg.authorizedKeys != [];

     

       
170
       
170
       
+
       
        assertion = cfg.authorizedKeys != [] || cfg.authorizedKeyFiles != [];

     

       
156
       
171
       
 
       
        message = "You should specify at least one authorized key for initrd SSH";

     

       
157
       
172
       
 
       
      }

     

       
158
       
173
       
 
       


     
···

       
206
       
221
       
 
       
      ${concatStrings (map (key: ''

     

       
207
       
222
       
 
       
        echo ${escapeShellArg key} >> /root/.ssh/authorized_keys

     

       
208
       
223
       
 
       
      '') cfg.authorizedKeys)}

     

       
224
       
224
       
+
       
      ${concatStrings (map (keyFile: ''

     

       
225
       
225
       
+
       
        cat ${keyFile} >> /root/.ssh/authorized_keys

     

       
226
       
226
       
+
       
      '') cfg.authorizedKeyFiles)}

     

       
209
       
227
       
 
       


     

       
210
       
228
       
 
       
      ${flip concatMapStrings cfg.hostKeys (path: ''

     

       
211
       
229
       
 
       
        # keys from Nix store are world-readable, which sshd doesn't like

     
···

       
236
       
254
       
 
       


     

       
237
       
255
       
 
       
      users.root.shell = mkIf (config.boot.initrd.network.ssh.shell != null) config.boot.initrd.network.ssh.shell;

     

       
238
       
256
       
 
       


     

       
239
       
239
       
-
       
      contents."/etc/ssh/authorized_keys.d/root".text =

     

       
240
       
240
       
-
       
        concatStringsSep "\n" config.boot.initrd.network.ssh.authorizedKeys;

     

       
241
       
241
       
-
       
      contents."/etc/ssh/sshd_config".text = sshdConfig;

     

       
257
       
257
       
+
       
      contents = {

     

       
258
       
258
       
+
       
        "/etc/ssh/sshd_config".text = sshdConfig;

     

       
259
       
259
       
+
       
        "/etc/ssh/authorized_keys.d/root".text =

     

       
260
       
260
       
+
       
          concatStringsSep "\n" (

     

       
261
       
261
       
+
       
            config.boot.initrd.network.ssh.authorizedKeys ++

     

       
262
       
262
       
+
       
            (map (file: lib.fileContents file) config.boot.initrd.network.ssh.authorizedKeyFiles));

     

       
263
       
263
       
+
       
      };

     

       
242
       
264
       
 
       
      storePaths = ["${package}/bin/sshd"];

     

       
243
       
265
       
 
       


     

       
244
       
266
       
 
       
      services.sshd = {