jolheiser/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
198,893 Commits 266 Branches 122 Tags 5.3 GiB
2abe2b2cda
Commit Graph

88 Commits

Author SHA1 Message Date
danbst
0f8596ab3f mass replace "flip map -> forEach" 
See `forEach`-introduction commit.
```
rg 'flip map ' --files-with-matches | xargs sed -i 's/flip map /forEach /g'
```
 2019-08-05 14:03:38 +03:00
danbst
91bb646e98 Revert "mass replace "flip map -> foreach"" 
This reverts commit 3b0534310c89d04fc3a9c5714b5a4d0f9fb0efca.
 2019-08-05 14:01:45 +03:00
danbst
3b0534310c mass replace "flip map -> foreach" 
See `foreach`-introduction commit.
```
rg 'flip map ' --files-with-matches | xargs sed -i 's/flip map /foreach /g'
```
 2019-07-14 13:46:10 +03:00
Samuel Dionne-Riel
861bbbcb3c nixos/sshd: fixes validation for cross-compilation 
See https://github.com/NixOS/nixpkgs/pull/62853
 2019-06-15 00:56:42 -04:00
Franz Pletz
eb7c11d552
Merge pull request #58718 from Ma27/validate-ssh-configs 
nixos/sshd: validate ssh configs during build
 2019-05-24 18:30:04 +00:00
Maximilian Bosch
00a5222499
nixos/sshd: validate ssh configs during build 
With `sshd -t` config validation for SSH is possible. Until now, the
config generated by Nix was applied without any validation (which is
especially a problem for advanced config like `Match` blocks).

When deploying broken ssh config with nixops to a remote machine it gets
even harder to fix the problem due to the broken ssh that makes reverts
with nixops impossible.

This change performs the validation in a Nix build environment by
creating a store path with the config and generating a mocked host key
which seems to be needed for the validation. With a broken config, the
deployment already fails during the build of the derivation.

The original attempt was done in #56345 by adding a submodule for Match
groups to make it harder screwing that up, however that made the module
far more complex and config should be described in an easier way as
described in NixOS/rfcs#42.
 2019-05-24 20:16:53 +02:00
Aneesh Agrawal
24ae4ae604 nixos/sshd: Remove obsolete Protocol options (#59136) 
OpenSSH removed server side support for the v.1 Protocol
in version 7.4: https://www.openssh.com/txt/release-7.4,
making this option a no-op.
 2019-04-08 09:49:31 +02:00
Nikita Uvarov
131e31cd1b
sshd: fix startWhenNeeded and listenAddresses combination 
Previously, if startWhenNeeded was set, listenAddresses option was
ignored and daemon was listening on all interfaces.
Fixes #56325.
 2019-02-25 00:51:58 +01:00
danbst
27982b408e types.optionSet: deprecate and remove last usages 2019-01-31 00:41:10 +02:00
ajs124
325e314aae
sshd: Add restartTrigger for sshd_config 
Co-Authored-By: Franz Pletz <fpletz@fnordicwalking.de>
 2019-01-02 20:11:01 +01:00
Daniel Rutz
c98a7bf8f2 nixos/sshd: Use port type instead of int 
This change leads to an additional check of the port number at build time, making invalid port values impossible.
 2018-10-18 23:42:20 +02:00
volth
2e979e8ceb [bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00
Franz Pletz
ea9078b76b
Merge pull request #41745 from rvolosatovs/fix/sshd 
nixos: Add more ssh-keygen params
 2018-07-14 16:29:46 +00:00
Florian Klink
fff5923686 nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
Roman Volosatovs
1846a85b77
sshd: Add issue references to services.openssh.authorizedKeysFiles 2018-06-12 18:30:53 +02:00
Roman Volosatovs
9953edaf75
sshd: Support more ssh-keygen parameters 2018-06-12 18:26:20 +02:00
Izorkin
9ef30fd56a sshd: change location of config file (#41744) 
create symlink /etc/ssh/sshd_config
 2018-06-10 01:39:06 +02:00
Izorkin
ad11b960e9 sshd: add custom options 2018-05-19 11:52:00 +03:00
Silvan Mosberger
ee3fd4ad53
nixos/sshd: add options for kexAlgorithms, ciphers and MACs 2018-04-20 19:05:19 +02:00
Eelco Dolstra
6bc889205a
sshd: Remove UsePrivilegeSeparation option 
This option is deprecated, see https://www.openssh.com/txt/release-7.5.
 2018-02-08 13:32:55 +01:00
Leon Schuermann
c61a9dfd2e
sshd: provide option to disable firewall altering 2018-01-18 22:55:28 +08:00
Dmitry Moskowski
ed26bc5931
sshd: Start after network target 2017-12-24 14:57:14 +00:00
Tim Steinbach
48252b15b9
sshd: Remove ripemd160 MACs 
They are invalid for our OpenSSH
 2017-11-21 09:36:51 -05:00
jeaye
2a8bd9e2a1
nixos/ssh: Harden config defaults 2017-11-16 20:25:37 -08:00
jeaye
ec80c92825
nixos/ssh: Remove support for old host keys 2017-11-16 20:25:22 -08:00
Peter Hoeg
07bc859e9a Revert "ssh: deprecate use of old DSA keys" 
This reverts commit 65b73d71cbe5df15ce62024123eedea284d825db.
 2017-10-14 14:42:49 +08:00
Peter Hoeg
65b73d71cb ssh: deprecate use of old DSA keys 
They are not safe and shouldn't be used.
 2017-10-14 14:38:04 +08:00
Franz Pletz
dc08dcf6e7
ssh service: add sftpFlags option 2017-09-18 21:52:07 +02:00
Joachim Schiele
3d52203ab2 sshd.nix: Added nixops usage warning of openssh.authorizedKeys.keys usage 2017-06-22 11:50:09 +02:00
Aneesh Agrawal
769b991be6 openssh: 7.4p1 -> 7.5p1 
Release notes are available at https://www.openssh.com/txt/release-7.5.
Mostly a bugfix release, no major backwards-incompatible changes.

Remove deprecated `UsePrivilegeSeparation` option,
which is now mandatory.
 2017-04-10 19:39:22 -04:00
Eelco Dolstra
80b40fdf03
sshd.nix: Alternative fix for #19589 
AFAICT, this issue only occurs when sshd is socket-activated. It turns
out that the preStart script's stdout and stderr are connected to the
socket, not just the main command's. So explicitly connect stderr to
the journal and redirect stdout to stderr.
 2017-03-31 16:18:58 +02:00
Eelco Dolstra
4e79b0b075
Revert "sshd: separate key generation into another service" 
This reverts commit 1a74eedd074fac69d12cecb767dc207a4bfea1bb. It
breaks NixOps, which expects that

  rm -f /etc/ssh/ssh_host_ed25519_key*
  systemctl restart sshd
  cat /etc/ssh/ssh_host_ed25519_key.pub

works.
 2017-03-31 16:18:58 +02:00
Graham Christensen
8ed4c8b73b
openssh: 7.4p1 no longer backgrounds when systemd is starting it. 2016-12-29 17:04:46 -05:00
Eelco Dolstra
d69dce080d
Fix setting programs.ssh.setXAuthLocation 
The configuration { services.openssh.enable = true;
services.openssh.forwardX11 = false; } caused
programs.ssh.setXAuthLocation to be set to false, which was not the
intent. The intent is that programs.ssh.setXAuthLocation should be
automatically enabled if needed or if xauth is already available.
 2016-11-21 16:19:51 +01:00
Anmol Sethi
1a74eedd07 sshd: separate key generation into another service 
Fixes #19589
 2016-10-20 23:14:37 -04:00
Joachim F
0906a0f197 Merge pull request #18491 from groxxda/network-interfaces 
Replace Network-interfaces.target
 2016-10-02 16:34:37 +02:00
Jörg Thalheim
cd673d3c26 Merge pull request #19138 from nhooyr/openssh 
openssh: support prohibit-password for permitRootLogin
 2016-10-02 15:26:21 +02:00
Anmol Sethi
6891bb1c59
openssh: support prohibit-password for permitRootLogin 
See 1dc8d93ce6

I also made it the default.
 2016-10-01 13:23:56 -04:00
Alexander Ried
60430b140c lshd service: remove use of network-interfaces.target 2016-09-13 11:19:22 +02:00
Eric Sagnes
48d6fa933c sshd module: optionSet -> submodule 2016-09-13 12:53:11 +09:00
Eelco Dolstra
520cb14f16 Fix infinite recursion introduced by f3c32cb2c1344c9a831bb9e4f47c1b20527dbe0b 2016-09-05 18:17:22 +02:00
Eelco Dolstra
f3c32cb2c1 Let services.openssh.forwardX11 imply programs.ssh.setXAuthLocation 2016-09-05 15:38:42 +02:00
Peter Hoeg
c4cba0e51f ssh module: ignore exit code when socket activated 
sshd will at times fail when exiting. When socket activated, this will
leave a number of sshd@ service instances in the failed state, so we
simply ignore the error code if we are running socket activated.

Recommended by upstream:
http://systemd-devel.freedesktop.narkive.com/d0eapMCG/socket-activated-sshd-service-showing-up-as-a-failure-when-the-client-connection-fails

Fixes: #3279
 2016-08-04 16:47:44 +08:00
Данило Глинський (Danylo Hlynskyi)
bc2fe9f2cd typo in authorizedKeysFiles 2016-05-12 18:01:17 +03:00
Aneesh Agrawal
bb39304ce6 openssh: use bin instead of sbin folder 
References #11939.
 2016-03-05 23:56:32 -05:00
Eelco Dolstra
d9d6a92d5e sshd.nix: Ensure global config goes before user Match blocks 
Hopefully fixes #13393.
 2016-02-23 18:03:33 +01:00
Eelco Dolstra
a7b7ac8bfb openssh: Enable DSA host/client keys 
This applies a patch from Fedora to make HostKeyAlgorithms do the
right thing, fixing the issue described in
401782cb678d2e28c0f7f2d40c6421624f410148.
 2016-02-01 16:31:43 +01:00
Robin Gloster
88292fdf09 jobs -> systemd.services 2016-01-07 06:39:06 +00:00
Eelco Dolstra
14321ae243 Rename users.extraUsers -> users.users, users.extraGroup -> users.groups 
The "extra" part hasn't made sense for years.
 2015-09-02 17:34:23 +02:00
Eelco Dolstra
287c08d8a3 Rename services.openssh.knownHosts -> programs.ssh.knownHosts 
This option configures the SSH client, not the server.
 2015-08-27 15:32:46 +02:00