# nixos-config - My current NixOS configuration # # Copyright (C) 2025 Benedikt Peetz # SPDX-License-Identifier: GPL-3.0-or-later # # This file is part of my nixos-config. # # You should have received a copy of the License along with this program. # If not, see . { config, lib, pkgs, ... }: let cfg = config.soispha.programs.ssh; mkDefaultMatchBlock = UserKnownHostsFile: { AddKeysToAgent = "no"; Compression = true; ControlMaster = "no"; ControlPersist = "no"; ForwardAgent = false; HashKnownHosts = false; ServerAliveCountMax = 3; ServerAliveInterval = 240; inherit UserKnownHostsFile; }; in { options.soispha.programs.ssh = { enable = lib.mkEnableOption "ssh config"; rootKnownHosts = lib.mkOption { type = lib.types.attrsOf lib.types.str; description = '' An attrset of keys (the domain) and values (the host key.) These are only applied to the root user. ''; default = {}; apply = value: builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (hostName: hostKey: "${hostName} ${hostKey}") value); }; }; config = lib.mkIf cfg.enable { home-manager.users = { root.programs.ssh = { enable = true; enableDefaultConfig = false; settings = { "Host *" = mkDefaultMatchBlock ( builtins.toString (pkgs.writeTextFile { name = "root-known-hosts"; text = cfg.rootKnownHosts; }) ); "Host *.your-storagebox.de" = { # Don't try to authenticate via password for these, because we need to use the # forced commands, and they are only provided via the ssh key login. # So password login is a footgun (it is, however, valid to use it for non-root # use-cases) PasswordAuthentication = false; }; }; }; soispha.programs.ssh = { enable = true; enableDefaultConfig = false; settings = { "Host *" = mkDefaultMatchBlock "${config.home-manager.users.soispha.xdg.dataHome}/ssh/known_hosts"; "Host *.your-storagebox.de" = { # Port 22 is for sftp, and when we connect as user, we probably want an # interactive shell. Port = 23; }; }; }; }; }; }