commit db5f88c41a638e4ff1f67a61310a6e958eaa07a8 · pyrox.dev/nixpkgs

+11

nixos/doc/manual/release-notes/rl-2405.section.md

···

       533
        
       - `services.postgresql.extraPlugins` changed its type from just a list of packages to also a function that returns such a list.

     

       534
        
         For example a config line like ``services.postgresql.extraPlugins = with pkgs.postgresql_11.pkgs; [ postgis ];`` is recommended to be changed to ``services.postgresql.extraPlugins = ps: with ps; [ postgis ];``;

     

       535
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       536
        
       - [`matrix-synapse`](https://element-hq.github.io/synapse/) homeserver module now supports configuring UNIX domain socket [`listeners`](#opt-services.matrix-synapse.settings.listeners) through the `path` option.

     

       537
        
         The default replication worker on the main instance has been migrated away from TCP sockets to UNIX domain sockets.

     

       538

···

       533
        
       - `services.postgresql.extraPlugins` changed its type from just a list of packages to also a function that returns such a list.

     

       534
        
         For example a config line like ``services.postgresql.extraPlugins = with pkgs.postgresql_11.pkgs; [ postgis ];`` is recommended to be changed to ``services.postgresql.extraPlugins = ps: with ps; [ postgis ];``;

     

       535
        
       

     

       536
       +
       - `services.openssh` now has an option `authorizedKeysInHomedir`, controlling whether `~/.ssh/authorizedKeys` is

     

       537
       +
         added to `authorizedKeysFiles`.

     

       538
       +
         ::: {.note}

     

       539
       +
         This option currently defaults to `true` for NixOS 24.05, preserving the previous behaviour.

     

       540
       +
         This is expected to change in NixOS 24.11.

     

       541
       +
         :::

     

       542
       +
         ::: {.warning}

     

       543
       +
         Users should check that their SSH keys are in `users.users.*.openssh`, or that they have another way to access

     

       544
       +
         and administer the system, before setting this option to `false`.

     

       545
       +
         :::

     

       546
       +
       

     

       547
        
       - [`matrix-synapse`](https://element-hq.github.io/synapse/) homeserver module now supports configuring UNIX domain socket [`listeners`](#opt-services.matrix-synapse.settings.listeners) through the `path` option.

     

       548
        
         The default replication worker on the main instance has been migrated away from TCP sockets to UNIX domain sockets.

     

       549

+12 -1

nixos/modules/services/networking/ssh/sshd.nix

···

       296
        
               '';

     

       297
        
             };

     

       298
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       299
        
             authorizedKeysCommand = mkOption {

     

       300
        
               type = types.str;

     

       301
        
               default = "none";

     
···

       635
        
           # https://github.com/NixOS/nixpkgs/pull/10155

     

       636
        
           # https://github.com/NixOS/nixpkgs/pull/41745

     

       637
        
           services.openssh.authorizedKeysFiles =

     

       638
       -
             [ "%h/.ssh/authorized_keys" "/etc/ssh/authorized_keys.d/%u" ];

     

       639
        
       

     

       640
        
           services.openssh.settings.AuthorizedPrincipalsFile = mkIf (authPrincipalsFiles != {}) "/etc/ssh/authorized_principals.d/%u";

     

       641

···

       296
        
               '';

     

       297
        
             };

     

       298
        
       

     

       299
       +
             authorizedKeysInHomedir = mkOption {

     

       300
       +
               type = types.bool;

     

       301
       +
               default = true;

     

       302
       +
               description = ''

     

       303
       +
                 Enables the use of the `~/.ssh/authorized_keys` file.

     

       304
       +
       

     

       305
       +
                 Otherwise, the only files trusted by default are those in `/etc/ssh/authorized_keys.d`,

     

       306
       +
                 *i.e.* SSH keys from [](#opt-users.users._name_.openssh.authorizedKeys.keys).

     

       307
       +
               '';

     

       308
       +
             };

     

       309
       +
       

     

       310
        
             authorizedKeysCommand = mkOption {

     

       311
        
               type = types.str;

     

       312
        
               default = "none";

     
···

       646
        
           # https://github.com/NixOS/nixpkgs/pull/10155

     

       647
        
           # https://github.com/NixOS/nixpkgs/pull/41745

     

       648
        
           services.openssh.authorizedKeysFiles =

     

       649
       +
             lib.optional cfg.authorizedKeysInHomedir "%h/.ssh/authorized_keys" ++ [ "/etc/ssh/authorized_keys.d/%u" ];

     

       650
        
       

     

       651
        
           services.openssh.settings.AuthorizedPrincipalsFile = mkIf (authPrincipalsFiles != {}) "/etc/ssh/authorized_principals.d/%u";

     

       652