philipp/nixpkgs
1
0
Fork 0
Code Issues Pull requests Projects Releases Activity
nixpkgs/modules/services/networking/ssh/sshd.nix
Eelco Dolstra 89ef5c979b * New nixos-rebuild action: "nixos-rebuild build-vm" builds a virtual 
machine containing a replica (minus the state) of the system
  configuration.  This is mostly useful for testing configuration
  changes prior to doing an actual "nixos-rebuild switch" (or even
  "nixos-rebuild test").  The VM can be started as follows:

  $ nixos-rebuild build-vm
  $ ./result/bin/run-*-vm

  which starts a KVM/QEMU instance.  Additional QEMU options can be
  passed through the QEMU_OPTS environment variable
  (e.g. QEMU_OPTS="-redir tcp:8080::80" to forward a host port to the
  guest).  The fileSystem attribute of the regular system
  configuration is ignored (using mkOverride), because obviously we
  can't allow the VM to access the host's block devices.  Instead, at
  startup the VM creates an empty disk image in ./<hostname>.qcow2 to
  store the VM's root filesystem.

  Building a VM in this way is efficient because the VM shares its Nix
  store with the host (through a CIFS mount).  However, because the
  Nix store of the host is mounted read-only in the guest, you cannot
  run Nix build actions inside the VM.  Therefore the VM can only be
  reconfigured by re-running "nixos-rebuild build-vm" on the host and
  restarting the VM.

svn path=/nixos/trunk/; revision=16662
2009-08-11 01:35:56 +00:00

137 lines
3.1 KiB
Nix
Raw Blame History

{pkgs, config, ...}:
let
inherit (pkgs.lib) mkOption mkIf;
inherit (pkgs) openssh;
cfg = config.services.sshd;
nssModulesPath = config.system.nssModules.path;
sshdConfig = pkgs.writeText "sshd_config"
''
Protocol 2
UsePAM yes
${if cfg.forwardX11 then "
X11Forwarding yes
XAuthLocation ${pkgs.xlibs.xauth}/bin/xauth
" else "
X11Forwarding no
"}
${if cfg.allowSFTP then "
Subsystem sftp ${openssh}/libexec/sftp-server
" else "
"}
PermitRootLogin ${cfg.permitRootLogin}
GatewayPorts ${cfg.gatewayPorts}
'';
# !!! is this assertion evaluated anywhere???
assertion = cfg.permitRootLogin == "yes" ||
cfg.permitRootLogin == "without-password" ||
cfg.permitRootLogin == "forced-commands-only" ||
cfg.permitRootLogin == "no";
in
{
###### interface
options = {
services.sshd = {
enable = mkOption {
default = false;
description = ''
Whether to enable the Secure Shell daemon, which allows secure
remote logins.
'';
};
forwardX11 = mkOption {
default = true;
description = ''
Whether to allow X11 connections to be forwarded.
'';
};
allowSFTP = mkOption {
default = true;
description = ''
Whether to enable the SFTP subsystem in the SSH daemon. This
enables the use of commands such as <command>sftp</command> and
<command>sshfs</command>.
'';
};
permitRootLogin = mkOption {
default = "yes";
description = ''
Whether the root user can login using ssh. Valid values are
<literal>yes</literal>, <literal>without-password</literal>,
<literal>forced-commands-only</literal> or
<literal>no</literal>.
'';
};
gatewayPorts = mkOption {
default = "no";
description = ''
Specifies whether remote hosts are allowed to connect to
ports forwarded for the client. See
<citerefentry><refentrytitle>sshd_config</refentrytitle>
<manvolnum>5</manvolnum></citerefentry>.
'';
};
};
};
###### implementation
config = mkIf config.services.sshd.enable {
users.extraUsers = pkgs.lib.singleton
{ name = "sshd";
uid = config.ids.uids.sshd;
description = "SSH privilege separation user";
home = "/var/empty";
};
jobs = pkgs.lib.singleton
{ name = "sshd";
description = "OpenSSH server";
startOn = "network-interfaces/started";
stopOn = "network-interfaces/stop";
environment = { LD_LIBRARY_PATH = nssModulesPath; };
preStart =
''
mkdir -m 0755 -p /etc/ssh
if ! test -f /etc/ssh/ssh_host_dsa_key; then
${openssh}/bin/ssh-keygen -t dsa -b 1024 -f /etc/ssh/ssh_host_dsa_key -N ""
fi
'';
exec = "${openssh}/sbin/sshd -D -h /etc/ssh/ssh_host_dsa_key -f ${sshdConfig}";
};
networking.firewall.allowedTCPPorts = [22];
};
}
Reference in a new issue View git blame Copy permalink