sshd: fewer empty lines in generated config (#392527)

nixos/modules/programs/ssh.nix

@@ -339,37 +339,37 @@ in
 
     # SSH configuration. Slight duplication of the sshd_config
     # generation in the sshd service.
-    environment.etc."ssh/ssh_config".text = ''
+    environment.etc."ssh/ssh_config".text = lib.concatStringsSep "\n" (
       # Custom options from `extraConfig`, to override generated options
-      ${cfg.extraConfig}
-
-      # Generated options from other settings
-      Host *
-      ${lib.optionalString cfg.systemd-ssh-proxy.enable ''
+      lib.optional (cfg.extraConfig != "") cfg.extraConfig
+      ++ [
+        ''
+          # Generated options from other settings
+          Host *
+        ''
+      ]
+      ++ lib.optional cfg.systemd-ssh-proxy.enable ''
         # See systemd-ssh-proxy(1)
         Include ${config.systemd.package}/lib/systemd/ssh_config.d/20-systemd-ssh-proxy.conf
-      ''}
-
-      GlobalKnownHostsFile ${builtins.concatStringsSep " " knownHostsFiles}
-
-      ${lib.optionalString (!config.networking.enableIPv6) "AddressFamily inet"}
-      ${lib.optionalString cfg.setXAuthLocation "XAuthLocation ${pkgs.xorg.xauth}/bin/xauth"}
-      ${lib.optionalString (cfg.forwardX11 != null)
-        "ForwardX11 ${if cfg.forwardX11 then "yes" else "no"}"
-      }
-
-      ${lib.optionalString (
+      ''
+      ++ [
+        "GlobalKnownHostsFile ${builtins.concatStringsSep " " knownHostsFiles}"
+      ]
+      ++ lib.optional (!config.networking.enableIPv6) "AddressFamily inet"
+      ++ lib.optional cfg.setXAuthLocation "XAuthLocation ${pkgs.xorg.xauth}/bin/xauth"
+      ++ lib.optional (cfg.forwardX11 != null) "ForwardX11 ${if cfg.forwardX11 then "yes" else "no"}"
+      ++ lib.optional (
         cfg.pubkeyAcceptedKeyTypes != [ ]
-      ) "PubkeyAcceptedKeyTypes ${builtins.concatStringsSep "," cfg.pubkeyAcceptedKeyTypes}"}
-      ${lib.optionalString (
+      ) "PubkeyAcceptedKeyTypes ${builtins.concatStringsSep "," cfg.pubkeyAcceptedKeyTypes}"
+      ++ lib.optional (
         cfg.hostKeyAlgorithms != [ ]
-      ) "HostKeyAlgorithms ${builtins.concatStringsSep "," cfg.hostKeyAlgorithms}"}
-      ${lib.optionalString (
+      ) "HostKeyAlgorithms ${builtins.concatStringsSep "," cfg.hostKeyAlgorithms}"
+      ++ lib.optional (
         cfg.kexAlgorithms != null
-      ) "KexAlgorithms ${builtins.concatStringsSep "," cfg.kexAlgorithms}"}
-      ${lib.optionalString (cfg.ciphers != null) "Ciphers ${builtins.concatStringsSep "," cfg.ciphers}"}
-      ${lib.optionalString (cfg.macs != null) "MACs ${builtins.concatStringsSep "," cfg.macs}"}
-    '';
+      ) "KexAlgorithms ${builtins.concatStringsSep "," cfg.kexAlgorithms}"
+      ++ lib.optional (cfg.ciphers != null) "Ciphers ${builtins.concatStringsSep "," cfg.ciphers}"
+      ++ lib.optional (cfg.macs != null) "MACs ${builtins.concatStringsSep "," cfg.macs}"
+    );
 
     environment.etc."ssh/ssh_known_hosts".text = knownHostsText;
 

nixos/modules/services/networking/ssh/sshd.nix

@@ -21,7 +21,6 @@ let
     let
       # reports boolean as yes / no
       mkValueString =
-        with lib;
         v:
         if lib.isInt v then
           toString v
@@ -456,7 +455,7 @@ in
                 default = "none"; # upstream default
                 description = ''
                   Specifies a file that lists principal names that are accepted for certificate authentication. The default
-                  is `"none"`, i.e. not to use	a principals file.
+                  is `"none"`, i.e. not to use a principals file.
                 '';
               };
               LogLevel = lib.mkOption {
@@ -825,37 +824,29 @@ in
       authPrincipalsFiles != { }
     ) "/etc/ssh/authorized_principals.d/%u";
 
-    services.openssh.extraConfig = lib.mkOrder 0 ''
-      Banner ${if cfg.banner == null then "none" else pkgs.writeText "ssh_banner" cfg.banner}
-
-      AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}
-      ${lib.concatMapStrings (port: ''
-        Port ${toString port}
-      '') cfg.ports}
-
-      ${lib.concatMapStrings (
-        { port, addr, ... }:
+    services.openssh.extraConfig = lib.mkOrder 0 (
+      lib.concatStringsSep "\n" (
+        [
+          "Banner ${if cfg.banner == null then "none" else pkgs.writeText "ssh_banner" cfg.banner}"
+          "AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}"
+        ]
+        ++ lib.map (port: ''Port ${toString port}'') cfg.ports
+        ++ lib.map (
+          { port, addr, ... }:
+          ''ListenAddress ${addr}${lib.optionalString (port != null) (":" + toString port)}''
+        ) cfg.listenAddresses
+        ++ lib.optional cfgc.setXAuthLocation "XAuthLocation ${lib.getExe pkgs.xorg.xauth}"
+        ++ lib.optional cfg.allowSFTP ''Subsystem sftp ${cfg.sftpServerExecutable} ${lib.concatStringsSep " " cfg.sftpFlags}''
+        ++ [
+          "AuthorizedKeysFile ${toString cfg.authorizedKeysFiles}"
+        ]
+        ++ lib.optional (cfg.authorizedKeysCommand != "none") ''
+          AuthorizedKeysCommand ${cfg.authorizedKeysCommand}
+          AuthorizedKeysCommandUser ${cfg.authorizedKeysCommandUser}
         ''
-          ListenAddress ${addr}${lib.optionalString (port != null) (":" + toString port)}
-        ''
-      ) cfg.listenAddresses}
-
-      ${lib.optionalString cfgc.setXAuthLocation ''
-        XAuthLocation ${pkgs.xorg.xauth}/bin/xauth
-      ''}
-      ${lib.optionalString cfg.allowSFTP ''
-        Subsystem sftp ${cfg.sftpServerExecutable} ${lib.concatStringsSep " " cfg.sftpFlags}
-      ''}
-      AuthorizedKeysFile ${toString cfg.authorizedKeysFiles}
-      ${lib.optionalString (cfg.authorizedKeysCommand != "none") ''
-        AuthorizedKeysCommand ${cfg.authorizedKeysCommand}
-        AuthorizedKeysCommandUser ${cfg.authorizedKeysCommandUser}
-      ''}
-
-      ${lib.flip lib.concatMapStrings cfg.hostKeys (k: ''
-        HostKey ${k.path}
-      '')}
-    '';
+        ++ lib.map (k: "HostKey ${k.path}") cfg.hostKeys
+      )
+    );
 
     system.checks = [
       (pkgs.runCommand "check-sshd-config"