gador/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sshd: fewer empty lines in generated config (#392527)

Browse Source
This commit is contained in:
Ramses
2025-09-24 06:51:36 +02:00
committed by GitHub
parent 3b754e1040 7ebfdde615
commit 2f5e64c284
2 changed files with 48 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
nixos/modules/programs/ssh.nix
View File

@@ -339,37 +339,37 @@ in
# SSH configuration. Slight duplication of the sshd_config # SSH configuration. Slight duplication of the sshd_config
# generation in the sshd service. # generation in the sshd service.
environment.etc."ssh/ssh_config".text = '' environment.etc."ssh/ssh_config".text = lib.concatStringsSep "\n" (
# Custom options from `extraConfig`, to override generated options # Custom options from `extraConfig`, to override generated options
${cfg.extraConfig} lib.optional (cfg.extraConfig != "") cfg.extraConfig
++ [
''
# Generated options from other settings # Generated options from other settings
Host * Host *
${lib.optionalString cfg.systemd-ssh-proxy.enable '' ''
]
++ lib.optional cfg.systemd-ssh-proxy.enable ''
# See systemd-ssh-proxy(1) # See systemd-ssh-proxy(1)
Include ${config.systemd.package}/lib/systemd/ssh_config.d/20-systemd-ssh-proxy.conf Include ${config.systemd.package}/lib/systemd/ssh_config.d/20-systemd-ssh-proxy.conf
''} ''
++ [
GlobalKnownHostsFile ${builtins.concatStringsSep " " knownHostsFiles} "GlobalKnownHostsFile ${builtins.concatStringsSep " " knownHostsFiles}"
]
${lib.optionalString (!config.networking.enableIPv6) "AddressFamily inet"} ++ lib.optional (!config.networking.enableIPv6) "AddressFamily inet"
${lib.optionalString cfg.setXAuthLocation "XAuthLocation ${pkgs.xorg.xauth}/bin/xauth"} ++ lib.optional cfg.setXAuthLocation "XAuthLocation ${pkgs.xorg.xauth}/bin/xauth"
${lib.optionalString (cfg.forwardX11 != null) ++ lib.optional (cfg.forwardX11 != null) "ForwardX11 ${if cfg.forwardX11 then "yes" else "no"}"
"ForwardX11 ${if cfg.forwardX11 then "yes" else "no"}" ++ lib.optional (
}
${lib.optionalString (
cfg.pubkeyAcceptedKeyTypes != [ ] cfg.pubkeyAcceptedKeyTypes != [ ]
) "PubkeyAcceptedKeyTypes ${builtins.concatStringsSep "," cfg.pubkeyAcceptedKeyTypes}"} ) "PubkeyAcceptedKeyTypes ${builtins.concatStringsSep "," cfg.pubkeyAcceptedKeyTypes}"
${lib.optionalString ( ++ lib.optional (
cfg.hostKeyAlgorithms != [ ] cfg.hostKeyAlgorithms != [ ]
) "HostKeyAlgorithms ${builtins.concatStringsSep "," cfg.hostKeyAlgorithms}"} ) "HostKeyAlgorithms ${builtins.concatStringsSep "," cfg.hostKeyAlgorithms}"
${lib.optionalString ( ++ lib.optional (
cfg.kexAlgorithms != null cfg.kexAlgorithms != null
) "KexAlgorithms ${builtins.concatStringsSep "," cfg.kexAlgorithms}"} ) "KexAlgorithms ${builtins.concatStringsSep "," cfg.kexAlgorithms}"
${lib.optionalString (cfg.ciphers != null) "Ciphers ${builtins.concatStringsSep "," cfg.ciphers}"} ++ lib.optional (cfg.ciphers != null) "Ciphers ${builtins.concatStringsSep "," cfg.ciphers}"
${lib.optionalString (cfg.macs != null) "MACs ${builtins.concatStringsSep "," cfg.macs}"} ++ lib.optional (cfg.macs != null) "MACs ${builtins.concatStringsSep "," cfg.macs}"
''; );
environment.etc."ssh/ssh_known_hosts".text = knownHostsText; environment.etc."ssh/ssh_known_hosts".text = knownHostsText;

49
nixos/modules/services/networking/ssh/sshd.nix
View File

@@ -21,7 +21,6 @@ let
let let
# reports boolean as yes / no # reports boolean as yes / no
mkValueString = mkValueString =
with lib;
v: v:
if lib.isInt v then if lib.isInt v then
toString v toString v
@@ -825,37 +824,29 @@ in
authPrincipalsFiles != { } authPrincipalsFiles != { }
) "/etc/ssh/authorized_principals.d/%u"; ) "/etc/ssh/authorized_principals.d/%u";
services.openssh.extraConfig = lib.mkOrder 0 '' services.openssh.extraConfig = lib.mkOrder 0 (
Banner ${if cfg.banner == null then "none" else pkgs.writeText "ssh_banner" cfg.banner} lib.concatStringsSep "\n" (
[
AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"} "Banner ${if cfg.banner == null then "none" else pkgs.writeText "ssh_banner" cfg.banner}"
${lib.concatMapStrings (port: '' "AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}"
Port ${toString port} ]
'') cfg.ports} ++ lib.map (port: ''Port ${toString port}'') cfg.ports
++ lib.map (
${lib.concatMapStrings (
{ port, addr, ... }: { port, addr, ... }:
'' ''ListenAddress ${addr}${lib.optionalString (port != null) (":" + toString port)}''
ListenAddress ${addr}${lib.optionalString (port != null) (":" + toString port)} ) cfg.listenAddresses
'' ++ lib.optional cfgc.setXAuthLocation "XAuthLocation ${lib.getExe pkgs.xorg.xauth}"
) cfg.listenAddresses} ++ lib.optional cfg.allowSFTP ''Subsystem sftp ${cfg.sftpServerExecutable} ${lib.concatStringsSep " " cfg.sftpFlags}''
++ [
${lib.optionalString cfgc.setXAuthLocation '' "AuthorizedKeysFile ${toString cfg.authorizedKeysFiles}"
XAuthLocation ${pkgs.xorg.xauth}/bin/xauth ]
''} ++ lib.optional (cfg.authorizedKeysCommand != "none") ''
${lib.optionalString cfg.allowSFTP ''
Subsystem sftp ${cfg.sftpServerExecutable} ${lib.concatStringsSep " " cfg.sftpFlags}
''}
AuthorizedKeysFile ${toString cfg.authorizedKeysFiles}
${lib.optionalString (cfg.authorizedKeysCommand != "none") ''
AuthorizedKeysCommand ${cfg.authorizedKeysCommand} AuthorizedKeysCommand ${cfg.authorizedKeysCommand}
AuthorizedKeysCommandUser ${cfg.authorizedKeysCommandUser} AuthorizedKeysCommandUser ${cfg.authorizedKeysCommandUser}
''} ''
++ lib.map (k: "HostKey ${k.path}") cfg.hostKeys
${lib.flip lib.concatMapStrings cfg.hostKeys (k: '' )
HostKey ${k.path} );
'')}
'';
system.checks = [ system.checks = [
(pkgs.runCommand "check-sshd-config" (pkgs.runCommand "check-sshd-config"