commit f4dd3ba6e05c1050a1b2db9085fb2695c507ba1b · pyrox.dev/nixpkgs

doc/manpage-urls.json

···

       228
       228
        
         "systemd-socket-activate(1)": "https://www.freedesktop.org/software/systemd/man/systemd-socket-activate.html",

     

       229
       229
        
         "systemd-socket-proxyd(8)": "https://www.freedesktop.org/software/systemd/man/systemd-socket-proxyd.html",

     

       230
       230
        
         "systemd-soft-reboot.service(8)": "https://www.freedesktop.org/software/systemd/man/systemd-soft-reboot.service.html",

     

       231
       231
       +
         "systemd-ssh-generator(8)": "https://www.freedesktop.org/software/systemd/man/systemd-ssh-generator.html",

     

       232
       232
       +
         "systemd-ssh-proxy(1)": "https://www.freedesktop.org/software/systemd/man/systemd-ssh-proxy.html",

     

       231
       233
        
         "systemd-stdio-bridge(1)": "https://www.freedesktop.org/software/systemd/man/systemd-stdio-bridge.html",

     

       232
       234
        
         "systemd-stub(7)": "https://www.freedesktop.org/software/systemd/man/systemd-stub.html",

     

       233
       235
        
         "systemd-suspend-then-hibernate.service(8)": "https://www.freedesktop.org/software/systemd/man/systemd-suspend-then-hibernate.service.html",

+13

nixos/doc/manual/release-notes/rl-2505.section.md

···

       554
       554
        
       

     

       555
       555
        
       - GOverlay has been updated to 1.2, please check the [upstream changelog](https://github.com/benjamimgois/goverlay/releases) for more details.

     

       556
       556
        
       

     

       557
       557
       +
       - systemd's {manpage}`systemd-ssh-generator(8)` now works out of the box on NixOS.

     

       558
       558
       +
         - You can ssh into VMs without any networking configuration if your hypervisor configures the vm to support AF_VSOCK.

     

       559
       559
       +
           It still requires the usual ssh authentication methods.

     

       560
       560
       +
         - An SSH key for the root user can be provisioned using the `ssh.authorized_keys.root` systemd credential.

     

       561
       561
       +
           This can be useful for booting an installation image and providing the SSH key with an smbios string.

     

       562
       562
       +
         - SSH can be used for suid-less privilege escalation on the local system without having to rely on networking:

     

       563
       563
       +
           ```shell

     

       564
       564
       +
           ssh root@.host

     

       565
       565
       +
           ```

     

       566
       566
       +
         - systemd's {manpage}`systemd-ssh-proxy(1)` is enabled by default. It can be disabled using [`programs.ssh.systemd-ssh-proxy.enable`](#opt-programs.ssh.systemd-ssh-proxy.enable).

     

       567
       567
       +
       

     

       568
       568
       +
       - SSH host key generation has been separated into the dedicated systemd service sshd-keygen.service.

     

       569
       569
       +
       

     

       557
       570
        
       - [`services.mongodb`](#opt-services.mongodb.enable) is now compatible with the `mongodb-ce` binary package. To make use of it, set [`services.mongodb.package`](#opt-services.mongodb.package) to `pkgs.mongodb-ce`.

     

       558
       571
        
       

     

       559
       572
        
       - [`services.jupyter`](#opt-services.jupyter.enable) is now compatible with `Jupyter Notebook 7`. See [the migration guide](https://jupyter-notebook.readthedocs.io/en/latest/migrate_to_notebook7.html) for details.

+14

nixos/modules/programs/ssh.nix

···

       49
       49
        
               description = "Whether to configure SSH_ASKPASS in the environment.";

     

       50
       50
        
             };

     

       51
       51
        
       

     

       52
       52
       +
             systemd-ssh-proxy.enable = lib.mkOption {

     

       53
       53
       +
               type = lib.types.bool;

     

       54
       54
       +
               default = true;

     

       55
       55
       +
               description = ''

     

       56
       56
       +
                 Whether to enable systemd's ssh proxy plugin.

     

       57
       57
       +
                 See {manpage}`systemd-ssh-proxy(1)`.

     

       58
       58
       +
               '';

     

       59
       59
       +
             };

     

       60
       60
       +
       

     

       52
       61
        
             askPassword = lib.mkOption {

     

       53
       62
        
               type = lib.types.str;

     

       54
       63
        
               default = "${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass";

     
···

       331
       340
        
           environment.etc."ssh/ssh_config".text = ''

     

       332
       341
        
             # Custom options from `extraConfig`, to override generated options

     

       333
       342
        
             ${cfg.extraConfig}

     

       343
       343
       +
       

     

       344
       344
       +
             ${lib.optionalString cfg.systemd-ssh-proxy.enable ''

     

       345
       345
       +
               # See systemd-ssh-proxy(1)

     

       346
       346
       +
               Include ${config.systemd.package}/lib/systemd/ssh_config.d/20-systemd-ssh-proxy.conf

     

       347
       347
       +
             ''}

     

       334
       348
        
       

     

       335
       349
        
             # Generated options from other settings

     

       336
       350
        
             Host *

+79 -63

nixos/modules/services/networking/ssh/sshd.nix

···

       562
       562
        
               "ssh/sshd_config".source = sshconf;

     

       563
       563
        
             };

     

       564
       564
        
       

     

       565
       565
       -
           systemd =

     

       566
       566
       -
             let

     

       567
       567
       -
               service =

     

       568
       568
       -
                 { description = "SSH Daemon";

     

       569
       569
       -
                   wantedBy = lib.optional (!cfg.startWhenNeeded) "multi-user.target";

     

       570
       570
       -
                   after = [ "network.target" ];

     

       571
       571
       -
                   stopIfChanged = false;

     

       572
       572
       -
                   path = [ cfg.package pkgs.gawk ];

     

       573
       573
       -
                   environment.LD_LIBRARY_PATH = nssModulesPath;

     

       574
       574
       -
       

     

       575
       575
       -
                   restartTriggers = lib.optionals (!cfg.startWhenNeeded) [

     

       576
       576
       -
                     config.environment.etc."ssh/sshd_config".source

     

       577
       577
       -
                   ];

     

       578
       578
       -
       

     

       579
       579
       -
                   preStart =

     

       580
       580
       -
                     ''

     

       581
       581
       -
                       # Make sure we don't write to stdout, since in case of

     

       582
       582
       -
                       # socket activation, it goes to the remote side (#19589).

     

       583
       583
       -
                       exec >&2

     

       565
       565
       +
           systemd.tmpfiles.settings."ssh-root-provision" = {

     

       566
       566
       +
             "/root"."d-" = { user = "root"; group = ":root"; mode = ":700"; };

     

       567
       567
       +
             "/root/.ssh"."d-" = { user = "root"; group = ":root"; mode = ":700"; };

     

       568
       568
       +
             "/root/.ssh/authorized_keys"."f^" = { user = "root"; group = ":root"; mode = ":600"; argument = "ssh.authorized_keys.root"; };

     

       569
       569
       +
           };

     

       584
       570
        
       

     

       585
       585
       -
                       ${lib.flip lib.concatMapStrings cfg.hostKeys (k: ''

     

       586
       586
       -
                         if ! [ -s "${k.path}" ]; then

     

       587
       587
       -
                             if ! [ -h "${k.path}" ]; then

     

       588
       588
       -
                                 rm -f "${k.path}"

     

       589
       589
       -
                             fi

     

       590
       590
       -
                             mkdir -p "$(dirname '${k.path}')"

     

       591
       591
       -
                             chmod 0755 "$(dirname '${k.path}')"

     

       592
       592
       -
                             ssh-keygen \

     

       593
       593
       -
                               -t "${k.type}" \

     

       594
       594
       -
                               ${lib.optionalString (k ? bits) "-b ${toString k.bits}"} \

     

       595
       595
       -
                               ${lib.optionalString (k ? rounds) "-a ${toString k.rounds}"} \

     

       596
       596
       -
                               ${lib.optionalString (k ? comment) "-C '${k.comment}'"} \

     

       597
       597
       -
                               ${lib.optionalString (k ? openSSHFormat && k.openSSHFormat) "-o"} \

     

       598
       598
       -
                               -f "${k.path}" \

     

       599
       599
       -
                               -N ""

     

       600
       600
       -
                         fi

     

       601
       601
       -
                       '')}

     

       602
       602
       -
                     '';

     

       603
       603
       -
       

     

       604
       604
       -
                   serviceConfig =

     

       605
       605
       -
                     { ExecStart =

     

       606
       606
       -
                         (lib.optionalString cfg.startWhenNeeded "-") +

     

       607
       607
       -
                         "${cfg.package}/bin/sshd " + (lib.optionalString cfg.startWhenNeeded "-i ") +

     

       608
       608
       -
                         "-D " +  # don't detach into a daemon process

     

       609
       609
       -
                         "-f /etc/ssh/sshd_config";

     

       610
       610
       -
                       KillMode = "process";

     

       611
       611
       -
                     } // (if cfg.startWhenNeeded then {

     

       612
       612
       -
                       StandardInput = "socket";

     

       613
       613
       -
                       StandardError = "journal";

     

       614
       614
       -
                     } else {

     

       615
       615
       -
                       Restart = "always";

     

       616
       616
       -
                       Type = "simple";

     

       617
       617
       -
                     });

     

       618
       618
       -
       

     

       619
       619
       -
                 };

     

       620
       620
       -
             in

     

       621
       621
       -
       

     

       622
       622
       -
             if cfg.startWhenNeeded then {

     

       623
       623
       -
       

     

       624
       624
       -
               sockets.sshd =

     

       625
       625
       -
                 { description = "SSH Socket";

     

       571
       571
       +
           systemd =

     

       572
       572
       +
             {

     

       573
       573
       +
               sockets.sshd = lib.mkIf cfg.startWhenNeeded {

     

       574
       574
       +
                 description = "SSH Socket";

     

       626
       575
        
                   wantedBy = [ "sockets.target" ];

     

       627
       576
        
                   socketConfig.ListenStream = if cfg.listenAddresses != [] then

     

       628
       577
        
                     lib.concatMap

     
···

       635
       584
        
                   socketConfig.Accept = true;

     

       636
       585
        
                   # Prevent brute-force attacks from shutting down socket

     

       637
       586
        
                   socketConfig.TriggerLimitIntervalSec = 0;

     

       587
       587
       +
               };

     

       588
       588
       +
       

     

       589
       589
       +
               services."sshd@" = {

     

       590
       590
       +
                 description = "SSH per-connection Daemon";

     

       591
       591
       +
                 after = [ "network.target" "sshd-keygen.service" ];

     

       592
       592
       +
                 wants = [ "sshd-keygen.service" ];

     

       593
       593
       +
                 stopIfChanged = false;

     

       594
       594
       +
                 path = [ cfg.package ];

     

       595
       595
       +
                 environment.LD_LIBRARY_PATH = nssModulesPath;

     

       596
       596
       +
       

     

       597
       597
       +
                 serviceConfig = {

     

       598
       598
       +
                   Type = "notify";

     

       599
       599
       +
                   ExecStart = lib.concatStringsSep " " [

     

       600
       600
       +
                     "-${lib.getExe' cfg.package "sshd"}"

     

       601
       601
       +
                     "-i"

     

       602
       602
       +
                     "-D"

     

       603
       603
       +
                     "-f /etc/ssh/sshd_config"

     

       604
       604
       +
                   ];

     

       605
       605
       +
                   KillMode = "process";

     

       606
       606
       +
                   StandardInput = "socket";

     

       607
       607
       +
                   StandardError = "journal";

     

       638
       608
        
                 };

     

       609
       609
       +
               };

     

       639
       610
        
       

     

       640
       640
       -
               services."sshd@" = service;

     

       611
       611
       +
               services.sshd = lib.mkIf (! cfg.startWhenNeeded) {

     

       612
       612
       +
                 description = "SSH Daemon";

     

       613
       613
       +
                 wantedBy = [ "multi-user.target" ];

     

       614
       614
       +
                 after = [ "network.target" "sshd-keygen.service" ];

     

       615
       615
       +
                 wants = [ "sshd-keygen.service" ];

     

       616
       616
       +
                 stopIfChanged = false;

     

       617
       617
       +
                 path = [ cfg.package ];

     

       618
       618
       +
                 environment.LD_LIBRARY_PATH = nssModulesPath;

     

       641
       619
        
       

     

       642
       642
       -
             } else {

     

       620
       620
       +
                 restartTriggers = [ config.environment.etc."ssh/sshd_config".source ];

     

       643
       621
        
       

     

       644
       644
       -
               services.sshd = service;

     

       622
       622
       +
                 serviceConfig = {

     

       623
       623
       +
                   Type = "notify";

     

       624
       624
       +
                   Restart = "always";

     

       625
       625
       +
                   ExecStart = lib.concatStringsSep " " [

     

       626
       626
       +
                     (lib.getExe' cfg.package "sshd")

     

       627
       627
       +
                     "-D"

     

       628
       628
       +
                     "-f" "/etc/ssh/sshd_config"

     

       629
       629
       +
                   ];

     

       630
       630
       +
                   KillMode = "process";

     

       631
       631
       +
                 };

     

       632
       632
       +
               };

     

       645
       633
        
       

     

       634
       634
       +
               services.sshd-keygen = {

     

       635
       635
       +
                 description = "SSH Host Keys Generation";

     

       636
       636
       +
                 unitConfig = {

     

       637
       637
       +
                   ConditionFileNotEmpty = map (k: "|!${k.path}") cfg.hostKeys;

     

       638
       638
       +
                 };

     

       639
       639
       +
                 serviceConfig = {

     

       640
       640
       +
                   Type = "oneshot";

     

       641
       641
       +
                 };

     

       642
       642
       +
                 path = [ cfg.package ];

     

       643
       643
       +
                 script =

     

       644
       644
       +
                   lib.flip lib.concatMapStrings cfg.hostKeys (k: ''

     

       645
       645
       +
                     if ! [ -s "${k.path}" ]; then

     

       646
       646
       +
                         if ! [ -h "${k.path}" ]; then

     

       647
       647
       +
                             rm -f "${k.path}"

     

       648
       648
       +
                         fi

     

       649
       649
       +
                         mkdir -p "$(dirname '${k.path}')"

     

       650
       650
       +
                         chmod 0755 "$(dirname '${k.path}')"

     

       651
       651
       +
                         ssh-keygen \

     

       652
       652
       +
                           -t "${k.type}" \

     

       653
       653
       +
                           ${lib.optionalString (k ? bits) "-b ${toString k.bits}"} \

     

       654
       654
       +
                           ${lib.optionalString (k ? rounds) "-a ${toString k.rounds}"} \

     

       655
       655
       +
                           ${lib.optionalString (k ? comment) "-C '${k.comment}'"} \

     

       656
       656
       +
                           ${lib.optionalString (k ? openSSHFormat && k.openSSHFormat) "-o"} \

     

       657
       657
       +
                           -f "${k.path}" \

     

       658
       658
       +
                           -N ""

     

       659
       659
       +
                     fi

     

       660
       660
       +
                   '');

     

       661
       661
       +
               };

     

       646
       662
        
             };

     

       647
       663
        
       

     

       648
       664
        
           networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall cfg.ports;

+6 -1

nixos/modules/system/boot/systemd.nix

···

       620
       620
        
             systemd.managerEnvironment = {

     

       621
       621
        
               # Doesn't contain systemd itself - everything works so it seems to use the compiled-in value for its tools

     

       622
       622
        
               # util-linux is needed for the main fsck utility wrapping the fs-specific ones

     

       623
       623
       -
               PATH = lib.makeBinPath (config.system.fsPackages ++ [cfg.package.util-linux]);

     

       623
       623
       +
               PATH = lib.makeBinPath (

     

       624
       624
       +
                 config.system.fsPackages

     

       625
       625
       +
                 ++ [cfg.package.util-linux]

     

       626
       626
       +
                 # systemd-ssh-generator needs sshd in PATH

     

       627
       627
       +
                 ++ lib.optional config.services.openssh.enable config.services.openssh.package

     

       628
       628
       +
               );

     

       624
       629
        
               LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive";

     

       625
       630
        
               TZDIR = "/etc/zoneinfo";

     

       626
       631
        
               # If SYSTEMD_UNIT_PATH ends with an empty component (":"), the usual unit load path will be appended to the contents of the variable

nixos/tests/all-tests.nix

···

       1173
       1173
        
         systemd-portabled = handleTest ./systemd-portabled.nix {};

     

       1174
       1174
        
         systemd-repart = handleTest ./systemd-repart.nix {};

     

       1175
       1175
        
         systemd-resolved = handleTest ./systemd-resolved.nix {};

     

       1176
       1176
       +
         systemd-ssh-proxy = runTest ./systemd-ssh-proxy.nix;

     

       1176
       1177
        
         systemd-shutdown = handleTest ./systemd-shutdown.nix {};

     

       1177
       1178
        
         systemd-sysupdate = runTest ./systemd-sysupdate.nix;

     

       1178
       1179
        
         systemd-sysusers-mutable = runTest ./systemd-sysusers-mutable.nix;

-3

nixos/tests/openssh.nix

···

       174
       174
        
           server_lazy_socket.wait_for_unit("sshd.socket", timeout=30)

     

       175
       175
        
       

     

       176
       176
        
           with subtest("manual-authkey"):

     

       177
       177
       -
               client.succeed("mkdir -m 700 /root/.ssh")

     

       178
       177
        
               client.succeed(

     

       179
       178
        
                   '${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ""'

     

       180
       179
        
               )

     
···

       184
       183
        
               public_key = public_key.strip()

     

       185
       184
        
               client.succeed("chmod 600 /root/.ssh/id_ed25519")

     

       186
       185
        
       

     

       187
       187
       -
               server.succeed("mkdir -m 700 /root/.ssh")

     

       188
       186
        
               server.succeed("echo '{}' > /root/.ssh/authorized_keys".format(public_key))

     

       189
       189
       -
               server_lazy.succeed("mkdir -m 700 /root/.ssh")

     

       190
       187
        
               server_lazy.succeed("echo '{}' > /root/.ssh/authorized_keys".format(public_key))

     

       191
       188
        
       

     

       192
       189
        
               client.wait_for_unit("network.target")

+76

nixos/tests/systemd-ssh-proxy.nix

···

       1
       1
       +
       {

     

       2
       2
       +
         pkgs,

     

       3
       3
       +
         lib,

     

       4
       4
       +
         config,

     

       5
       5
       +
         ...

     

       6
       6
       +
       }:

     

       7
       7
       +
       # This tests that systemd-ssh-proxy and systemd-ssh-generator work correctly with:

     

       8
       8
       +
       # - a local unix socket on the same system

     

       9
       9
       +
       # - a vsock socket inside a vm

     

       10
       10
       +
       let

     

       11
       11
       +
         inherit (import ./ssh-keys.nix pkgs)

     

       12
       12
       +
           snakeOilEd25519PrivateKey

     

       13
       13
       +
           snakeOilEd25519PublicKey

     

       14
       14
       +
           ;

     

       15
       15
       +
         qemu = config.nodes.virthost.virtualisation.qemu.package;

     

       16
       16
       +
         iso =

     

       17
       17
       +
           (import ../lib/eval-config.nix {

     

       18
       18
       +
             inherit (pkgs.stdenv.hostPlatform) system;

     

       19
       19
       +
             modules = [

     

       20
       20
       +
               ../modules/installer/cd-dvd/iso-image.nix

     

       21
       21
       +
               {

     

       22
       22
       +
                 services.openssh = {

     

       23
       23
       +
                   enable = true;

     

       24
       24
       +
                   settings.PermitRootLogin = "prohibit-password";

     

       25
       25
       +
                 };

     

       26
       26
       +
                 isoImage.isoBaseName = lib.mkForce "nixos";

     

       27
       27
       +
                 isoImage.makeBiosBootable = true;

     

       28
       28
       +
                 system.stateVersion = lib.trivial.release;

     

       29
       29
       +
               }

     

       30
       30
       +
             ];

     

       31
       31
       +
           }).config.system.build.isoImage;

     

       32
       32
       +
       in

     

       33
       33
       +
       {

     

       34
       34
       +
         name = "systemd-ssh-proxy";

     

       35
       35
       +
         meta.maintainers = with pkgs.lib.maintainers; [ marie ];

     

       36
       36
       +
       

     

       37
       37
       +
         nodes = {

     

       38
       38
       +
           virthost = {

     

       39
       39
       +
             services.openssh = {

     

       40
       40
       +
               enable = true;

     

       41
       41
       +
               settings.PermitRootLogin = "prohibit-password";

     

       42
       42
       +
             };

     

       43
       43
       +
             users.users = {

     

       44
       44
       +
               root.openssh.authorizedKeys.keys = [ snakeOilEd25519PublicKey ];

     

       45
       45
       +
               nixos = {

     

       46
       46
       +
                 isNormalUser = true;

     

       47
       47
       +
               };

     

       48
       48
       +
             };

     

       49
       49
       +
             systemd.services.test-vm = {

     

       50
       50
       +
               script = "${lib.getExe qemu} --nographic -smp 1 -m 512 -cdrom ${iso}/iso/nixos.iso -device vhost-vsock-pci,guest-cid=3 -smbios type=11,value=\"io.systemd.credential:ssh.authorized_keys.root=${snakeOilEd25519PublicKey}\"";

     

       51
       51
       +
             };

     

       52
       52
       +
           };

     

       53
       53
       +
         };

     

       54
       54
       +
       

     

       55
       55
       +
         testScript = ''

     

       56
       56
       +
           virthost.systemctl("start test-vm.service")

     

       57
       57
       +
       

     

       58
       58
       +
           virthost.succeed("mkdir -p ~/.ssh")

     

       59
       59
       +
           virthost.succeed("cp '${snakeOilEd25519PrivateKey}' ~/.ssh/id_ed25519")

     

       60
       60
       +
           virthost.succeed("chmod 600 ~/.ssh/id_ed25519")

     

       61
       61
       +
       

     

       62
       62
       +
           with subtest("ssh into a vm with vsock"):

     

       63
       63
       +
             virthost.wait_until_succeeds("systemctl is-active test-vm.service")

     

       64
       64
       +
             virthost.wait_until_succeeds("ssh -i ~/.ssh/id_ed25519 vsock/3 echo meow | grep meow")

     

       65
       65
       +
             virthost.wait_until_succeeds("ssh -i ~/.ssh/id_ed25519 vsock/3 shutdown now")

     

       66
       66
       +
             virthost.wait_until_succeeds("! systemctl is-active test-vm.service")

     

       67
       67
       +
       

     

       68
       68
       +
           with subtest("elevate permissions using local ssh socket"):

     

       69
       69
       +
             virthost.wait_for_unit("sshd-unix-local.socket")

     

       70
       70
       +
             virthost.succeed("sudo --user=nixos mkdir -p /home/nixos/.ssh")

     

       71
       71
       +
             virthost.succeed("cp ~/.ssh/id_ed25519 /home/nixos/.ssh/id_ed25519")

     

       72
       72
       +
             virthost.succeed("chmod 600 /home/nixos/.ssh/id_ed25519")

     

       73
       73
       +
             virthost.succeed("chown nixos /home/nixos/.ssh/id_ed25519")

     

       74
       74
       +
             virthost.succeed("sudo --user=nixos ssh -o StrictHostKeyChecking=no -o IdentitiesOnly=yes -i /home/nixos/.ssh/id_ed25519 root@.host whoami | grep root")

     

       75
       75
       +
         '';

     

       76
       76
       +
       }

+32

pkgs/os-specific/linux/systemd/0019-meson-Don-t-link-ssh-dropins.patch

···

       1
       1
       +
       From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001

     

       2
       2
       +
       From: Marie Ramlow <me@nycode.dev>

     

       3
       3
       +
       Date: Sun, 24 Nov 2024 20:04:35 +0100

     

       4
       4
       +
       Subject: [PATCH] meson: Don't link ssh dropins

     

       5
       5
       +
       

     

       6
       6
       +
       ---

     

       7
       7
       +
        meson.build | 4 ++--

     

       8
       8
       +
        1 file changed, 2 insertions(+), 2 deletions(-)

     

       9
       9
       +
       

     

       10
       10
       +
       diff --git a/meson.build b/meson.build

     

       11
       11
       +
       index d392610625..c17d0a1feb 100644

     

       12
       12
       +
       --- a/meson.build

     

       13
       13
       +
       +++ b/meson.build

     

       14
       14
       +
       @@ -211,13 +211,13 @@ sshconfdir = get_option('sshconfdir')

     

       15
       15
       +
        if sshconfdir == ''

     

       16
       16
       +
                sshconfdir = sysconfdir / 'ssh/ssh_config.d'

     

       17
       17
       +
        endif

     

       18
       18
       +
       -conf.set10('LINK_SSH_PROXY_DROPIN', sshconfdir != 'no' and not sshconfdir.startswith('/usr/'))

     

       19
       19
       +
       +conf.set10('LINK_SSH_PROXY_DROPIN', 0)

     

       20
       20
       +
        

     

       21
       21
       +
        sshdconfdir = get_option('sshdconfdir')

     

       22
       22
       +
        if sshdconfdir == ''

     

       23
       23
       +
                sshdconfdir = sysconfdir / 'ssh/sshd_config.d'

     

       24
       24
       +
        endif

     

       25
       25
       +
       -conf.set10('LINK_SSHD_USERDB_DROPIN', sshdconfdir != 'no' and not sshdconfdir.startswith('/usr/'))

     

       26
       26
       +
       +conf.set10('LINK_SSHD_USERDB_DROPIN', 0)

     

       27
       27
       +
        

     

       28
       28
       +
        sshdprivsepdir = get_option('sshdprivsepdir')

     

       29
       29
       +
        conf.set10('CREATE_SSHDPRIVSEPDIR', sshdprivsepdir != 'no' and not sshdprivsepdir.startswith('/usr/'))

     

       30
       30
       +
       -- 

     

       31
       31
       +
       2.47.0

     

       32
       32
       +

pkgs/os-specific/linux/systemd/0019-timesyncd-disable-NSCD-when-DNSSEC-validation-is-dis.patch pkgs/os-specific/linux/systemd/0021-timesyncd-disable-NSCD-when-DNSSEC-validation-is-dis.patch

+25

pkgs/os-specific/linux/systemd/0020-install-unit_file_exists_full-follow-symlinks.patch

···

       1
       1
       +
       From 7be486fb25dc4ea212cb17f6a3f4a434a557b0d9 Mon Sep 17 00:00:00 2001

     

       2
       2
       +
       From: Marie Ramlow <me@nycode.dev>

     

       3
       3
       +
       Date: Fri, 10 Jan 2025 15:51:33 +0100

     

       4
       4
       +
       Subject: [PATCH] install: unit_file_exists_full: follow symlinks

     

       5
       5
       +
       

     

       6
       6
       +
       ---

     

       7
       7
       +
        src/shared/install.c | 2 +-

     

       8
       8
       +
        1 file changed, 1 insertion(+), 1 deletion(-)

     

       9
       9
       +
       

     

       10
       10
       +
       diff --git a/src/shared/install.c b/src/shared/install.c

     

       11
       11
       +
       index 53566b7eef..0975cd47c7 100644

     

       12
       12
       +
       --- a/src/shared/install.c

     

       13
       13
       +
       +++ b/src/shared/install.c

     

       14
       14
       +
       @@ -3217,7 +3217,7 @@ int unit_file_exists_full(RuntimeScope scope, const LookupPaths *lp, const char

     

       15
       15
       +
                                &c,

     

       16
       16
       +
                                lp,

     

       17
       17
       +
                                name,

     

       18
       18
       +
       -                        /* flags= */ 0,

     

       19
       19
       +
       +                        /* flags= */ SEARCH_FOLLOW_CONFIG_SYMLINKS,

     

       20
       20
       +
                                ret_path ? &info : NULL,

     

       21
       21
       +
                                /* changes= */ NULL,

     

       22
       22
       +
                                /* n_changes= */ NULL);

     

       23
       23
       +
       -- 

     

       24
       24
       +
       2.47.0

     

       25
       25
       +

+7 -3

pkgs/os-specific/linux/systemd/default.nix

···

       246
       246
        
             ./0016-systemctl-edit-suggest-systemdctl-edit-runtime-on-sy.patch

     

       247
       247
        
             ./0017-meson.build-do-not-create-systemdstatedir.patch

     

       248
       248
        
             ./0018-Revert-bootctl-update-list-remove-all-instances-of-s.patch # https://github.com/systemd/systemd/issues/33392

     

       249
       249
       +
             # systemd tries to link the systemd-ssh-proxy ssh config snippet with tmpfiles

     

       250
       250
       +
             # if the install prefix is not /usr, but that does not work for us

     

       251
       251
       +
             # because we include the config snippet manually

     

       252
       252
       +
             ./0019-meson-Don-t-link-ssh-dropins.patch

     

       253
       253
       +
             ./0020-install-unit_file_exists_full-follow-symlinks.patch

     

       249
       254
        
           ]

     

       250
       255
        
           ++ lib.optionals (stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isGnu) [

     

       251
       251
       -
             ./0019-timesyncd-disable-NSCD-when-DNSSEC-validation-is-dis.patch

     

       256
       256
       +
             ./0021-timesyncd-disable-NSCD-when-DNSSEC-validation-is-dis.patch

     

       252
       257
        
           ]

     

       253
       258
        
           ++ lib.optionals stdenv.hostPlatform.isMusl (

     

       254
       259
        
             let

     
···

       496
       501
        
             (lib.mesonOption "umount-path" "${lib.getOutput "mount" util-linux}/bin/umount")

     

       497
       502
        
       

     

       498
       503
        
             # SSH

     

       499
       499
       -
             # Disabled for now until someone makes this work.

     

       500
       500
       -
             (lib.mesonOption "sshconfdir" "no")

     

       504
       504
       +
             (lib.mesonOption "sshconfdir" "")

     

       501
       505
        
             (lib.mesonOption "sshdconfdir" "no")

     

       502
       506
        
       

     

       503
       507
        
             # Features