2009-05-27 23:59:14 +00:00
|
|
|
# Global configuration for the SSH client.
|
|
|
|
|
2013-10-25 13:47:30 +00:00
|
|
|
{ config, pkgs, ... }:
|
2009-05-27 23:59:14 +00:00
|
|
|
|
2012-03-25 15:42:05 +00:00
|
|
|
with pkgs.lib;
|
|
|
|
|
|
|
|
let cfg = config.programs.ssh;
|
|
|
|
cfgd = config.services.openssh;
|
|
|
|
|
|
|
|
in
|
2009-05-27 23:59:14 +00:00
|
|
|
{
|
2012-03-25 15:42:05 +00:00
|
|
|
###### interface
|
|
|
|
|
|
|
|
options = {
|
|
|
|
|
|
|
|
programs.ssh = {
|
|
|
|
|
|
|
|
forwardX11 = mkOption {
|
2013-10-30 16:37:45 +00:00
|
|
|
type = types.bool;
|
2012-10-10 06:21:45 +00:00
|
|
|
default = false;
|
2012-03-25 15:42:05 +00:00
|
|
|
description = ''
|
|
|
|
Whether to request X11 forwarding on outgoing connections by default.
|
|
|
|
This is useful for running graphical programs on the remote machine and have them display to your local X11 server.
|
|
|
|
Historically, this value has depended on the value used by the local sshd daemon, but there really isn't a relation between the two.
|
2012-11-18 19:05:18 +00:00
|
|
|
Note: there are some security risks to forwarding an X11 connection.
|
|
|
|
NixOS's X server is built with the SECURITY extension, which prevents some obvious attacks.
|
2012-10-10 06:21:45 +00:00
|
|
|
To enable or disable forwarding on a per-connection basis, see the -X and -x options to ssh.
|
2012-11-18 19:05:18 +00:00
|
|
|
The -Y option to ssh enables trusted forwarding, which bypasses the SECURITY extension.
|
2009-05-27 23:59:14 +00:00
|
|
|
'';
|
2012-03-25 15:42:05 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
setXAuthLocation = mkOption {
|
2013-10-30 16:37:45 +00:00
|
|
|
type = types.bool;
|
2012-03-25 15:42:05 +00:00
|
|
|
default = true;
|
|
|
|
description = ''
|
2013-10-25 13:47:30 +00:00
|
|
|
Whether to set the path to <command>xauth</command> for X11-forwarded connections.
|
2013-10-30 16:37:45 +00:00
|
|
|
This causes a dependency on X11 packages.
|
2012-03-25 15:42:05 +00:00
|
|
|
'';
|
|
|
|
};
|
2013-08-25 19:54:21 +00:00
|
|
|
|
|
|
|
extraConfig = mkOption {
|
2013-10-30 16:37:45 +00:00
|
|
|
type = types.lines;
|
2013-08-25 19:54:21 +00:00
|
|
|
default = "";
|
|
|
|
description = ''
|
|
|
|
Extra configuration text appended to <filename>ssh_config</filename>.
|
2013-10-30 16:37:45 +00:00
|
|
|
See <citerefentry><refentrytitle>ssh_config</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
|
|
for help.
|
2013-08-25 19:54:21 +00:00
|
|
|
'';
|
|
|
|
};
|
2012-03-25 15:42:05 +00:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
config = {
|
2013-10-25 13:47:30 +00:00
|
|
|
|
|
|
|
assertions = singleton
|
|
|
|
{ assertion = cfg.forwardX11 -> cfg.setXAuthLocation;
|
|
|
|
message = "cannot enable X11 forwarding without setting XAuth location";
|
|
|
|
};
|
|
|
|
|
2012-03-25 15:42:05 +00:00
|
|
|
environment.etc =
|
|
|
|
[ { # SSH configuration. Slight duplication of the sshd_config
|
|
|
|
# generation in the sshd service.
|
|
|
|
source = pkgs.writeText "ssh_config" ''
|
2012-10-29 16:10:17 +00:00
|
|
|
AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}
|
2012-03-25 15:42:05 +00:00
|
|
|
${optionalString cfg.setXAuthLocation ''
|
|
|
|
XAuthLocation ${pkgs.xorg.xauth}/bin/xauth
|
|
|
|
''}
|
2012-10-29 16:10:37 +00:00
|
|
|
ForwardX11 ${if cfg.forwardX11 then "yes" else "no"}
|
2013-08-25 19:54:21 +00:00
|
|
|
${cfg.extraConfig}
|
2012-03-25 15:42:05 +00:00
|
|
|
'';
|
|
|
|
target = "ssh/ssh_config";
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
2009-05-27 23:59:14 +00:00
|
|
|
}
|