commit ef5da70d669321d482523ba64d331e7b09d6933b · pyrox.dev/nixpkgs

+65 -12

nixos/doc/manual/from_md/release-notes/rl-2305.section.xml

···

       522
       522
        
               <para>

     

       523
       523
        
                 A few openssh options have been moved from extraConfig to the

     

       524
       524
        
                 new freeform option <literal>settings</literal> and renamed as

     

       525
       525
       -
                 follow:

     

       526
       526
       -
                 <literal>services.openssh.kbdInteractiveAuthentication</literal>

     

       527
       527
       -
                 to

     

       528
       528
       -
                 <literal>services.openssh.settings.KbdInteractiveAuthentication</literal>,

     

       529
       529
       -
                 <literal>services.openssh.passwordAuthentication</literal> to

     

       530
       530
       -
                 <literal>services.openssh.settings.PasswordAuthentication</literal>,

     

       531
       531
       -
                 <literal>services.openssh.useDns</literal> to

     

       532
       532
       -
                 <literal>services.openssh.settings.UseDns</literal>,

     

       533
       533
       -
                 <literal>services.openssh.permitRootLogin</literal> to

     

       534
       534
       -
                 <literal>services.openssh.settings.PermitRootLogin</literal>,

     

       535
       535
       -
                 <literal>services.openssh.logLevel</literal> to

     

       536
       536
       -
                 <literal>services.openssh.settings.LogLevel</literal>.

     

       525
       525
       +
                 follows:

     

       537
       526
        
               </para>

     

       527
       527
       +
               <itemizedlist spacing="compact">

     

       528
       528
       +
                 <listitem>

     

       529
       529
       +
                   <para>

     

       530
       530
       +
                     <literal>services.openssh.forwardX11</literal> to

     

       531
       531
       +
                     <literal>services.openssh.settings.X11Forwarding</literal>

     

       532
       532
       +
                   </para>

     

       533
       533
       +
                 </listitem>

     

       534
       534
       +
                 <listitem>

     

       535
       535
       +
                   <para>

     

       536
       536
       +
                     <literal>services.openssh.kbdInteractiveAuthentication</literal>

     

       537
       537
       +
                     -&gt;

     

       538
       538
       +
                     <literal>services.openssh.settings.KbdInteractiveAuthentication</literal>

     

       539
       539
       +
                   </para>

     

       540
       540
       +
                 </listitem>

     

       541
       541
       +
                 <listitem>

     

       542
       542
       +
                   <para>

     

       543
       543
       +
                     <literal>services.openssh.passwordAuthentication</literal>

     

       544
       544
       +
                     to

     

       545
       545
       +
                     <literal>services.openssh.settings.PasswordAuthentication</literal>

     

       546
       546
       +
                   </para>

     

       547
       547
       +
                 </listitem>

     

       548
       548
       +
                 <listitem>

     

       549
       549
       +
                   <para>

     

       550
       550
       +
                     <literal>services.openssh.useDns</literal> to

     

       551
       551
       +
                     <literal>services.openssh.settings.UseDns</literal>

     

       552
       552
       +
                   </para>

     

       553
       553
       +
                 </listitem>

     

       554
       554
       +
                 <listitem>

     

       555
       555
       +
                   <para>

     

       556
       556
       +
                     <literal>services.openssh.permitRootLogin</literal> to

     

       557
       557
       +
                     <literal>services.openssh.settings.PermitRootLogin</literal>

     

       558
       558
       +
                   </para>

     

       559
       559
       +
                 </listitem>

     

       560
       560
       +
                 <listitem>

     

       561
       561
       +
                   <para>

     

       562
       562
       +
                     <literal>services.openssh.logLevel</literal> to

     

       563
       563
       +
                     <literal>services.openssh.settings.LogLevel</literal>

     

       564
       564
       +
                   </para>

     

       565
       565
       +
                 </listitem>

     

       566
       566
       +
                 <listitem>

     

       567
       567
       +
                   <para>

     

       568
       568
       +
                     <literal>services.openssh.kexAlgorithms</literal> to

     

       569
       569
       +
                     <literal>services.openssh.settings.KexAlgorithms</literal>

     

       570
       570
       +
                   </para>

     

       571
       571
       +
                 </listitem>

     

       572
       572
       +
                 <listitem>

     

       573
       573
       +
                   <para>

     

       574
       574
       +
                     <literal>services.openssh.macs</literal> to

     

       575
       575
       +
                     <literal>services.openssh.settings.Macs</literal>

     

       576
       576
       +
                   </para>

     

       577
       577
       +
                 </listitem>

     

       578
       578
       +
                 <listitem>

     

       579
       579
       +
                   <para>

     

       580
       580
       +
                     <literal>services.openssh.cyphers</literal> to

     

       581
       581
       +
                     <literal>services.openssh.settings.Cyphers</literal>

     

       582
       582
       +
                   </para>

     

       583
       583
       +
                 </listitem>

     

       584
       584
       +
                 <listitem>

     

       585
       585
       +
                   <para>

     

       586
       586
       +
                     <literal>services.openssh.gatewayPorts</literal> to

     

       587
       587
       +
                     <literal>services.openssh.settings.GatewayPorts</literal>

     

       588
       588
       +
                   </para>

     

       589
       589
       +
                 </listitem>

     

       590
       590
       +
               </itemizedlist>

     

       538
       591
        
             </listitem>

     

       539
       592
        
             <listitem>

     

       540
       593
        
               <para>

+11 -1

nixos/doc/manual/release-notes/rl-2305.section.md

···

       128
       128
        
       

     

       129
       129
        
       - The module `usbmuxd` now has the ability to change the package used by the daemon. In case you're experiencing issues with `usbmuxd` you can try an alternative program like `usbmuxd2`. Available as [services.usbmuxd.package](#opt-services.usbmuxd.package)

     

       130
       130
        
       

     

       131
       131
       -
       - A few openssh options have been moved from extraConfig to the new freeform option `settings` and renamed as follow: `services.openssh.kbdInteractiveAuthentication` to `services.openssh.settings.KbdInteractiveAuthentication`, `services.openssh.passwordAuthentication` to `services.openssh.settings.PasswordAuthentication`, `services.openssh.useDns` to `services.openssh.settings.UseDns`, `services.openssh.permitRootLogin` to `services.openssh.settings.PermitRootLogin`, `services.openssh.logLevel` to `services.openssh.settings.LogLevel`.

     

       131
       131
       +
       - A few openssh options have been moved from extraConfig to the new freeform option `settings` and renamed as follows:

     

       132
       132
       +
         - `services.openssh.forwardX11` to `services.openssh.settings.X11Forwarding`

     

       133
       133
       +
         - `services.openssh.kbdInteractiveAuthentication` -> `services.openssh.settings.KbdInteractiveAuthentication`

     

       134
       134
       +
         - `services.openssh.passwordAuthentication` to `services.openssh.settings.PasswordAuthentication`

     

       135
       135
       +
         - `services.openssh.useDns` to `services.openssh.settings.UseDns`

     

       136
       136
       +
         - `services.openssh.permitRootLogin` to `services.openssh.settings.PermitRootLogin`

     

       137
       137
       +
         - `services.openssh.logLevel` to `services.openssh.settings.LogLevel`

     

       138
       138
       +
         - `services.openssh.kexAlgorithms` to `services.openssh.settings.KexAlgorithms`

     

       139
       139
       +
         - `services.openssh.macs` to `services.openssh.settings.Macs`

     

       140
       140
       +
         - `services.openssh.cyphers` to `services.openssh.settings.Cyphers`

     

       141
       141
       +
         - `services.openssh.gatewayPorts` to `services.openssh.settings.GatewayPorts`

     

       132
       142
        
       

     

       133
       143
        
       - `services.mastodon` gained a tootctl wrapped named `mastodon-tootctl` similar to `nextcloud-occ` which can be executed from any user and switches to the configured mastodon user with sudo and sources the environment variables.

     

       134
       144

+1 -1

nixos/modules/programs/ssh.nix

···

       282
       282
        
         config = {

     

       283
       283
        
       

     

       284
       284
        
           programs.ssh.setXAuthLocation =

     

       285
       285
       -
             mkDefault (config.services.xserver.enable || config.programs.ssh.forwardX11 || config.services.openssh.forwardX11);

     

       285
       285
       +
             mkDefault (config.services.xserver.enable || config.programs.ssh.forwardX11 || config.services.openssh.settings.X11Forwarding);

     

       286
       286
        
       

     

       287
       287
        
           assertions =

     

       288
       288
        
             [ { assertion = cfg.forwardX11 -> cfg.setXAuthLocation;

+1 -1

nixos/modules/services/computing/slurm/slurm.nix

···

       383
       383
        
             "d /var/spool/slurmd 755 root root -"

     

       384
       384
        
           ];

     

       385
       385
        
       

     

       386
       386
       -
           services.openssh.forwardX11 = mkIf cfg.client.enable (mkDefault true);

     

       386
       386
       +
           services.openssh.settings.X11Forwarding = mkIf cfg.client.enable (mkDefault true);

     

       387
       387
        
       

     

       388
       388
        
           systemd.services.slurmctld = mkIf (cfg.server.enable) {

     

       389
       389
        
             path = with pkgs; [ wrappedSlurm munge coreutils ]

+79 -89

nixos/modules/services/networking/ssh/sshd.nix

···

       13
       13
        
           else pkgs.buildPackages.openssh;

     

       14
       14
        
       

     

       15
       15
        
         # reports boolean as yes / no

     

       16
       16
       -
         mkValueStringSshd = v:

     

       16
       16
       +
         mkValueStringSshd = with lib; v:

     

       17
       17
        
               if isInt           v then toString v

     

       18
       18
        
               else if isString   v then v

     

       19
       19
        
               else if true  ==   v then "yes"

     

       20
       20
        
               else if false ==   v then "no"

     

       21
       21
       +
               else if isList     v then concatStringsSep "," v

     

       21
       22
        
               else throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty {}) v}";

     

       22
       23
        
       

     

       23
       24
        
         # dont use the "=" operator

     
···

       104
       105
        
           (mkRenamedOptionModule [ "services" "openssh" "useDns" ] [  "services" "openssh" "settings" "UseDns" ])

     

       105
       106
        
           (mkRenamedOptionModule [ "services" "openssh" "permitRootLogin" ] [  "services" "openssh" "settings" "PermitRootLogin" ])

     

       106
       107
        
           (mkRenamedOptionModule [ "services" "openssh" "logLevel" ] [  "services" "openssh" "settings" "LogLevel" ])

     

       108
       108
       +
           (mkRenamedOptionModule [ "services" "openssh" "macs" ] [  "services" "openssh" "settings" "Macs" ])

     

       109
       109
       +
           (mkRenamedOptionModule [ "services" "openssh" "cyphers" ] [  "services" "openssh" "settings" "Cyphers" ])

     

       110
       110
       +
           (mkRenamedOptionModule [ "services" "openssh" "kexAlgorithms" ] [  "services" "openssh" "settings" "KexAlgorithms" ])

     

       111
       111
       +
           (mkRenamedOptionModule [ "services" "openssh" "gatewayPorts" ] [  "services" "openssh" "settings" "GatewayPorts" ])

     

       112
       112
       +
           (mkRenamedOptionModule [ "services" "openssh" "forwardX11" ] [  "services" "openssh" "settings" "X11Forwarding" ])

     

       107
       113
        
         ];

     

       108
       114
        
       

     

       109
       115
        
         ###### interface

     
···

       131
       137
        
               '';

     

       132
       138
        
             };

     

       133
       139
        
       

     

       134
       134
       -
             forwardX11 = mkOption {

     

       135
       135
       -
               type = types.bool;

     

       136
       136
       -
               default = false;

     

       137
       137
       -
               description = lib.mdDoc ''

     

       138
       138
       -
                 Whether to allow X11 connections to be forwarded.

     

       139
       139
       -
               '';

     

       140
       140
       -
             };

     

       141
       141
       -
       

     

       142
       140
        
             allowSFTP = mkOption {

     

       143
       141
        
               type = types.bool;

     

       144
       142
        
               default = true;

     
···

       167
       165
        
               '';

     

       168
       166
        
             };

     

       169
       167
        
       

     

       170
       170
       -
             gatewayPorts = mkOption {

     

       171
       171
       -
               type = types.str;

     

       172
       172
       -
               default = "no";

     

       173
       173
       -
               description = lib.mdDoc ''

     

       174
       174
       -
                 Specifies whether remote hosts are allowed to connect to

     

       175
       175
       -
                 ports forwarded for the client.  See

     

       176
       176
       -
                 {manpage}`sshd_config(5)`.

     

       177
       177
       -
               '';

     

       178
       178
       -
             };

     

       179
       179
       -
       

     

       180
       168
        
             ports = mkOption {

     

       181
       169
        
               type = types.listOf types.port;

     

       182
       170
        
               default = [22];

     
···

       286
       274
        
               '';

     

       287
       275
        
             };

     

       288
       276
        
       

     

       289
       289
       -
             kexAlgorithms = mkOption {

     

       290
       290
       -
               type = types.listOf types.str;

     

       291
       291
       -
               default = [

     

       292
       292
       -
                 "sntrup761x25519-sha512@openssh.com"

     

       293
       293
       -
                 "curve25519-sha256"

     

       294
       294
       -
                 "curve25519-sha256@libssh.org"

     

       295
       295
       -
                 "diffie-hellman-group-exchange-sha256"

     

       296
       296
       -
               ];

     

       297
       297
       -
               description = lib.mdDoc ''

     

       298
       298
       -
                 Allowed key exchange algorithms

     

       299
       299
       -
       

     

       300
       300
       -
                 Uses the lower bound recommended in both

     

       301
       301
       -
                 <https://stribika.github.io/2015/01/04/secure-secure-shell.html>

     

       302
       302
       -
                 and

     

       303
       303
       -
                 <https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67>

     

       304
       304
       -
               '';

     

       305
       305
       -
             };

     

       306
       306
       -
       

     

       307
       307
       -
             ciphers = mkOption {

     

       308
       308
       -
               type = types.listOf types.str;

     

       309
       309
       -
               default = [

     

       310
       310
       -
                 "chacha20-poly1305@openssh.com"

     

       311
       311
       -
                 "aes256-gcm@openssh.com"

     

       312
       312
       -
                 "aes128-gcm@openssh.com"

     

       313
       313
       -
                 "aes256-ctr"

     

       314
       314
       -
                 "aes192-ctr"

     

       315
       315
       -
                 "aes128-ctr"

     

       316
       316
       -
               ];

     

       317
       317
       -
               description = lib.mdDoc ''

     

       318
       318
       -
                 Allowed ciphers

     

       319
       319
       -
       

     

       320
       320
       -
                 Defaults to recommended settings from both

     

       321
       321
       -
                 <https://stribika.github.io/2015/01/04/secure-secure-shell.html>

     

       322
       322
       -
                 and

     

       323
       323
       -
                 <https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67>

     

       324
       324
       -
               '';

     

       325
       325
       -
             };

     

       326
       326
       -
       

     

       327
       327
       -
             macs = mkOption {

     

       328
       328
       -
               type = types.listOf types.str;

     

       329
       329
       -
               default = [

     

       330
       330
       -
                 "hmac-sha2-512-etm@openssh.com"

     

       331
       331
       -
                 "hmac-sha2-256-etm@openssh.com"

     

       332
       332
       -
                 "umac-128-etm@openssh.com"

     

       333
       333
       -
                 "hmac-sha2-512"

     

       334
       334
       -
                 "hmac-sha2-256"

     

       335
       335
       -
                 "umac-128@openssh.com"

     

       336
       336
       -
               ];

     

       337
       337
       -
               description = lib.mdDoc ''

     

       338
       338
       -
                 Allowed MACs

     

       339
       339
       -
       

     

       340
       340
       -
                 Defaults to recommended settings from both

     

       341
       341
       -
                 <https://stribika.github.io/2015/01/04/secure-secure-shell.html>

     

       342
       342
       -
                 and

     

       343
       343
       -
                 <https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67>

     

       344
       344
       -
               '';

     

       345
       345
       -
             };

     

       346
       277
        
       

     

       347
       278
        
       

     

       348
       279
        
             settings = mkOption {

     
···

       374
       305
        
                       ~/.ssh/authorized_keys from and sshd_config Match Host directives.

     

       375
       306
        
                     '';

     

       376
       307
        
                   };

     

       377
       377
       -
       

     

       308
       308
       +
                   X11Forwarding = mkOption {

     

       309
       309
       +
                     type = types.bool;

     

       310
       310
       +
                     default = false;

     

       311
       311
       +
                     description = lib.mdDoc ''

     

       312
       312
       +
                       Whether to allow X11 connections to be forwarded.

     

       313
       313
       +
                     '';

     

       314
       314
       +
                   };

     

       378
       315
        
                   PasswordAuthentication = mkOption {

     

       379
       316
        
                     type = types.bool;

     

       380
       317
        
                     default = true;

     
···

       394
       331
        
                     default = true;

     

       395
       332
        
                     description = lib.mdDoc ''

     

       396
       333
        
                       Specifies whether keyboard-interactive authentication is allowed.

     

       334
       334
       +
                     '';

     

       335
       335
       +
                   };

     

       336
       336
       +
                   GatewayPorts = mkOption {

     

       337
       337
       +
                     type = types.str;

     

       338
       338
       +
                     default = "no";

     

       339
       339
       +
                     description = lib.mdDoc ''

     

       340
       340
       +
                       Specifies whether remote hosts are allowed to connect to

     

       341
       341
       +
                       ports forwarded for the client.  See

     

       342
       342
       +
                       {manpage}`sshd_config(5)`.

     

       343
       343
       +
                     '';

     

       344
       344
       +
                   };

     

       345
       345
       +
                   KexAlgorithms = mkOption {

     

       346
       346
       +
                     type = types.listOf types.str;

     

       347
       347
       +
                     default = [

     

       348
       348
       +
                       "sntrup761x25519-sha512@openssh.com"

     

       349
       349
       +
                       "curve25519-sha256"

     

       350
       350
       +
                       "curve25519-sha256@libssh.org"

     

       351
       351
       +
                       "diffie-hellman-group-exchange-sha256"

     

       352
       352
       +
                     ];

     

       353
       353
       +
                     description = lib.mdDoc ''

     

       354
       354
       +
                       Allowed key exchange algorithms

     

       355
       355
       +
       

     

       356
       356
       +
                       Uses the lower bound recommended in both

     

       357
       357
       +
                       <https://stribika.github.io/2015/01/04/secure-secure-shell.html>

     

       358
       358
       +
                       and

     

       359
       359
       +
                       <https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67>

     

       360
       360
       +
                     '';

     

       361
       361
       +
                   };

     

       362
       362
       +
                   Macs = mkOption {

     

       363
       363
       +
                     type = types.listOf types.str;

     

       364
       364
       +
                     default = [

     

       365
       365
       +
                       "hmac-sha2-512-etm@openssh.com"

     

       366
       366
       +
                       "hmac-sha2-256-etm@openssh.com"

     

       367
       367
       +
                       "umac-128-etm@openssh.com"

     

       368
       368
       +
                       "hmac-sha2-512"

     

       369
       369
       +
                       "hmac-sha2-256"

     

       370
       370
       +
                       "umac-128@openssh.com"

     

       371
       371
       +
                     ];

     

       372
       372
       +
                     description = lib.mdDoc ''

     

       373
       373
       +
                       Allowed MACs

     

       374
       374
       +
       

     

       375
       375
       +
                       Defaults to recommended settings from both

     

       376
       376
       +
                       <https://stribika.github.io/2015/01/04/secure-secure-shell.html>

     

       377
       377
       +
                       and

     

       378
       378
       +
                       <https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67>

     

       379
       379
       +
                     '';

     

       380
       380
       +
                   };

     

       381
       381
       +
                   Ciphers = mkOption {

     

       382
       382
       +
                     type = types.listOf types.str;

     

       383
       383
       +
                     default = [

     

       384
       384
       +
                       "chacha20-poly1305@openssh.com"

     

       385
       385
       +
                       "aes256-gcm@openssh.com"

     

       386
       386
       +
                       "aes128-gcm@openssh.com"

     

       387
       387
       +
                       "aes256-ctr"

     

       388
       388
       +
                       "aes192-ctr"

     

       389
       389
       +
                       "aes128-ctr"

     

       390
       390
       +
                     ];

     

       391
       391
       +
                     description = lib.mdDoc ''

     

       392
       392
       +
                       Allowed ciphers

     

       393
       393
       +
       

     

       394
       394
       +
                       Defaults to recommended settings from both

     

       395
       395
       +
                       <https://stribika.github.io/2015/01/04/secure-secure-shell.html>

     

       396
       396
       +
                       and

     

       397
       397
       +
                       <https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67>

     

       397
       398
        
                     '';

     

       398
       399
        
                   };

     

       399
       400
        
                 };

     
···

       555
       556
        
               ${optionalString cfgc.setXAuthLocation ''

     

       556
       557
        
                   XAuthLocation ${pkgs.xorg.xauth}/bin/xauth

     

       557
       558
        
               ''}

     

       558
       558
       -
       

     

       559
       559
       -
               X11Forwarding ${if cfg.forwardX11 then "yes" else "no"}

     

       560
       560
       -
       

     

       561
       559
        
               ${optionalString cfg.allowSFTP ''

     

       562
       560
        
                 Subsystem sftp ${cfg.sftpServerExecutable} ${concatStringsSep " " cfg.sftpFlags}

     

       563
       561
        
               ''}

     

       564
       564
       -
       

     

       565
       565
       -
               GatewayPorts ${cfg.gatewayPorts}

     

       566
       566
       -
       

     

       567
       562
        
               PrintMotd no # handled by pam_motd

     

       568
       568
       -
       

     

       569
       563
        
               AuthorizedKeysFile ${toString cfg.authorizedKeysFiles}

     

       570
       564
        
               ${optionalString (cfg.authorizedKeysCommand != "none") ''

     

       571
       565
        
                 AuthorizedKeysCommand ${cfg.authorizedKeysCommand}

     
···

       575
       569
        
               ${flip concatMapStrings cfg.hostKeys (k: ''

     

       576
       570
        
                 HostKey ${k.path}

     

       577
       571
        
               '')}

     

       578
       578
       -
       

     

       579
       579
       -
               KexAlgorithms ${concatStringsSep "," cfg.kexAlgorithms}

     

       580
       580
       -
               Ciphers ${concatStringsSep "," cfg.ciphers}

     

       581
       581
       -
               MACs ${concatStringsSep "," cfg.macs}

     

       582
       572
        
             '';

     

       583
       573
        
       

     

       584
       584
       -
           assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;

     

       574
       574
       +
           assertions = [{ assertion = if cfg.settings.X11Forwarding then cfgc.setXAuthLocation else true;

     

       585
       575
        
                           message = "cannot enable X11 forwarding without setting xauth location";}]

     

       586
       576
        
             ++ forEach cfg.listenAddresses ({ addr, ... }: {

     

       587
       577
        
               assertion = addr != null;