sshd: fewer empty lines in generated config (#392527)

2025-09-24 06:51:36 +02:00
parent 3b754e1040 7ebfdde615
commit 2f5e64c284
2 changed files with 48 additions and 57 deletions
--- a/nixos/modules/programs/ssh.nix
+++ b/nixos/modules/programs/ssh.nix
@@ -339,37 +339,37 @@ in

    # SSH configuration. Slight duplication of the sshd_config
    # generation in the sshd service.
-    environment.etc."ssh/ssh_config".text = ''
+    environment.etc."ssh/ssh_config".text = lib.concatStringsSep "\n" (
      # Custom options from `extraConfig`, to override generated options
-      ${cfg.extraConfig}
-
+      lib.optional (cfg.extraConfig != "") cfg.extraConfig
+      ++ [
+        ''
          # Generated options from other settings
          Host *
-      ${lib.optionalString cfg.systemd-ssh-proxy.enable ''
+        ''
+      ]
+      ++ lib.optional cfg.systemd-ssh-proxy.enable ''
        # See systemd-ssh-proxy(1)
        Include ${config.systemd.package}/lib/systemd/ssh_config.d/20-systemd-ssh-proxy.conf
-      ''}
-
-      GlobalKnownHostsFile ${builtins.concatStringsSep " " knownHostsFiles}
-
-      ${lib.optionalString (!config.networking.enableIPv6) "AddressFamily inet"}
-      ${lib.optionalString cfg.setXAuthLocation "XAuthLocation ${pkgs.xorg.xauth}/bin/xauth"}
-      ${lib.optionalString (cfg.forwardX11 != null)
-        "ForwardX11 ${if cfg.forwardX11 then "yes" else "no"}"
-      }
-
-      ${lib.optionalString (
+      ''
+      ++ [
+        "GlobalKnownHostsFile ${builtins.concatStringsSep " " knownHostsFiles}"
+      ]
+      ++ lib.optional (!config.networking.enableIPv6) "AddressFamily inet"
+      ++ lib.optional cfg.setXAuthLocation "XAuthLocation ${pkgs.xorg.xauth}/bin/xauth"
+      ++ lib.optional (cfg.forwardX11 != null) "ForwardX11 ${if cfg.forwardX11 then "yes" else "no"}"
+      ++ lib.optional (
        cfg.pubkeyAcceptedKeyTypes != [ ]
-      ) "PubkeyAcceptedKeyTypes ${builtins.concatStringsSep "," cfg.pubkeyAcceptedKeyTypes}"}
-      ${lib.optionalString (
+      ) "PubkeyAcceptedKeyTypes ${builtins.concatStringsSep "," cfg.pubkeyAcceptedKeyTypes}"
+      ++ lib.optional (
        cfg.hostKeyAlgorithms != [ ]
-      ) "HostKeyAlgorithms ${builtins.concatStringsSep "," cfg.hostKeyAlgorithms}"}
-      ${lib.optionalString (
+      ) "HostKeyAlgorithms ${builtins.concatStringsSep "," cfg.hostKeyAlgorithms}"
+      ++ lib.optional (
        cfg.kexAlgorithms != null
-      ) "KexAlgorithms ${builtins.concatStringsSep "," cfg.kexAlgorithms}"}
-      ${lib.optionalString (cfg.ciphers != null) "Ciphers ${builtins.concatStringsSep "," cfg.ciphers}"}
-      ${lib.optionalString (cfg.macs != null) "MACs ${builtins.concatStringsSep "," cfg.macs}"}
-    '';
+      ) "KexAlgorithms ${builtins.concatStringsSep "," cfg.kexAlgorithms}"
+      ++ lib.optional (cfg.ciphers != null) "Ciphers ${builtins.concatStringsSep "," cfg.ciphers}"
+      ++ lib.optional (cfg.macs != null) "MACs ${builtins.concatStringsSep "," cfg.macs}"
+    );

    environment.etc."ssh/ssh_known_hosts".text = knownHostsText;

--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@@ -21,7 +21,6 @@ let
    let
      # reports boolean as yes / no
      mkValueString =
-        with lib;
        v:
        if lib.isInt v then
          toString v
@@ -825,37 +824,29 @@ in
      authPrincipalsFiles != { }
    ) "/etc/ssh/authorized_principals.d/%u";

-    services.openssh.extraConfig = lib.mkOrder 0 ''
-      Banner ${if cfg.banner == null then "none" else pkgs.writeText "ssh_banner" cfg.banner}
-
-      AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}
-      ${lib.concatMapStrings (port: ''
-        Port ${toString port}
-      '') cfg.ports}
-
-      ${lib.concatMapStrings (
+    services.openssh.extraConfig = lib.mkOrder 0 (
+      lib.concatStringsSep "\n" (
+        [
+          "Banner ${if cfg.banner == null then "none" else pkgs.writeText "ssh_banner" cfg.banner}"
+          "AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}"
+        ]
+        ++ lib.map (port: ''Port ${toString port}'') cfg.ports
+        ++ lib.map (
          { port, addr, ... }:
-        ''
-          ListenAddress ${addr}${lib.optionalString (port != null) (":" + toString port)}
-        ''
-      ) cfg.listenAddresses}
-
-      ${lib.optionalString cfgc.setXAuthLocation ''
-        XAuthLocation ${pkgs.xorg.xauth}/bin/xauth
-      ''}
-      ${lib.optionalString cfg.allowSFTP ''
-        Subsystem sftp ${cfg.sftpServerExecutable} ${lib.concatStringsSep " " cfg.sftpFlags}
-      ''}
-      AuthorizedKeysFile ${toString cfg.authorizedKeysFiles}
-      ${lib.optionalString (cfg.authorizedKeysCommand != "none") ''
+          ''ListenAddress ${addr}${lib.optionalString (port != null) (":" + toString port)}''
+        ) cfg.listenAddresses
+        ++ lib.optional cfgc.setXAuthLocation "XAuthLocation ${lib.getExe pkgs.xorg.xauth}"
+        ++ lib.optional cfg.allowSFTP ''Subsystem sftp ${cfg.sftpServerExecutable} ${lib.concatStringsSep " " cfg.sftpFlags}''
+        ++ [
+          "AuthorizedKeysFile ${toString cfg.authorizedKeysFiles}"
+        ]
+        ++ lib.optional (cfg.authorizedKeysCommand != "none") ''
          AuthorizedKeysCommand ${cfg.authorizedKeysCommand}
          AuthorizedKeysCommandUser ${cfg.authorizedKeysCommandUser}
-      ''}
-
-      ${lib.flip lib.concatMapStrings cfg.hostKeys (k: ''
-        HostKey ${k.path}
-      '')}
-    '';
+        ''
+        ++ lib.map (k: "HostKey ${k.path}") cfg.hostKeys
+      )
+    );

    system.checks = [
      (pkgs.runCommand "check-sshd-config"