LnL7/nix-darwin
1
1
Fork 0
mirror of https://github.com/LnL7/nix-darwin.git synced 2024-09-19 08:37:17 +03:00
Code Issues Projects Releases Wiki Activity

Merge pull request #187 from kalbasit/known-hosts-only-if-set

Browse Source 
programs.ssh: write ssh known_hosts only if there are any set
This commit is contained in:
Michael Hoang 2023-09-26 01:05:13 +01:00 committed by GitHub
commit e236a1e598
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 19 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
modules/programs/ssh/default.nix
View File

@ -151,12 +151,13 @@ in
services.openssh.authorizedKeysFiles = [ "%h/.ssh/authorized_keys" "/etc/ssh/authorized_keys.d/%u" ];
environment.etc = authKeysFiles //
{ "ssh/ssh_known_hosts".text = (flip (concatMapStringsSep "\n") knownHosts
(h: assert h.hostNames != [];
concatStringsSep "," h.hostNames + " "
+ (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
)) + "\n";
{ "ssh/ssh_known_hosts" = mkIf (builtins.length knownHosts > 0) {
text = (flip (concatMapStringsSep "\n") knownHosts
(h: assert h.hostNames != [];
concatStringsSep "," h.hostNames + " "
+ (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
)) + "\n";
};
"ssh/sshd_config.d/101-authorized-keys.conf" = {
text = "AuthorizedKeysFile ${toString config.services.openssh.authorizedKeysFiles}\n";
# Allows us to automatically migrate from using a file to a symlink

1
release.nix
View File

@ -114,6 +114,7 @@ let
tests.programs-ssh = makeTest ./tests/programs-ssh.nix;
tests.programs-tmux = makeTest ./tests/programs-tmux.nix;
tests.programs-zsh = makeTest ./tests/programs-zsh.nix;
tests.programs-ssh-empty-known-hosts = makeTest ./tests/programs-ssh-empty-known-hosts.nix;
tests.security-pki = makeTest ./tests/security-pki.nix;
tests.services-activate-system = makeTest ./tests/services-activate-system.nix;
tests.services-activate-system-changed-label-prefix = makeTest ./tests/services-activate-system-changed-label-prefix.nix;

11
tests/programs-ssh-empty-known-hosts.nix Normal file
View File

@ -0,0 +1,11 @@
{ config, pkgs, ... }:
{
test = ''
echo >&2 "checking existance of /etc/ssh/ssh_known_hosts"
if test -e ${config.out}/etc/ssh/ssh_known_hosts; then
echo >&2 "/etc/ssh/ssh_known_hosts exists but it shouldn't!"
exit 1
fi
'';
}