Merge pull request #309036 from tomfitzhenry/sshd-package

nixos/ssh: add services.openssh.package
2025-01-19 19:34:06 +00:00 · 2024-05-27 09:40:31 +02:00 · 2024-05-27 09:40:31 +02:00 · 00015f3ef9
commit 00015f3ef9
parent e8e045b1fc ff1c82ee07
2 changed files with 19 additions and 12 deletions
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@ -5,11 +5,11 @@ with lib;
 let

  # The splicing information needed for nativeBuildInputs isn't available
-  # on the derivations likely to be used as `cfgc.package`.
+  # on the derivations likely to be used as `cfg.package`.
  # This middle-ground solution ensures *an* sshd can do their basic validation
  # on the configuration.
  validationPackage = if pkgs.stdenv.buildPlatform == pkgs.stdenv.hostPlatform
-    then cfgc.package
+    then cfg.package
    else pkgs.buildPackages.openssh;

  # dont use the "=" operator
@ -169,6 +169,13 @@ in
        '';
      };

+      package = mkOption {
+        type = types.package;
+        default = config.programs.ssh.package;
+        defaultText = literalExpression "programs.ssh.package";
+        description = "OpenSSH package to use for sshd.";
+      };
+
      startWhenNeeded = mkOption {
        type = types.bool;
        default = false;
@ -544,8 +551,8 @@ in
      };
    users.groups.sshd = {};

-    services.openssh.moduliFile = mkDefault "${cfgc.package}/etc/ssh/moduli";
-    services.openssh.sftpServerExecutable = mkDefault "${cfgc.package}/libexec/sftp-server";
+    services.openssh.moduliFile = mkDefault "${cfg.package}/etc/ssh/moduli";
+    services.openssh.sftpServerExecutable = mkDefault "${cfg.package}/libexec/sftp-server";

    environment.etc = authKeysFiles // authPrincipalsFiles //
      { "ssh/moduli".source = cfg.moduliFile;
@ -559,7 +566,7 @@ in
            wantedBy = optional (!cfg.startWhenNeeded) "multi-user.target";
            after = [ "network.target" ];
            stopIfChanged = false;
-            path = [ cfgc.package pkgs.gawk ];
+            path = [ cfg.package pkgs.gawk ];
            environment.LD_LIBRARY_PATH = nssModulesPath;

            restartTriggers = optionals (!cfg.startWhenNeeded) [
@ -593,7 +600,7 @@ in
            serviceConfig =
              { ExecStart =
                  (optionalString cfg.startWhenNeeded "-") +
-                  "${cfgc.package}/bin/sshd " + (optionalString cfg.startWhenNeeded "-i ") +
+                  "${cfg.package}/bin/sshd " + (optionalString cfg.startWhenNeeded "-i ") +
                  "-D " +  # don't detach into a daemon process
                  "-f /etc/ssh/sshd_config";
                KillMode = "process";
--- a/nixos/tests/openssh.nix
+++ b/nixos/tests/openssh.nix
@ -111,11 +111,11 @@ in {
    server-no-openssl =
      { ... }:
      {
-        programs.ssh.package = pkgs.opensshPackages.openssh.override {
-          linkOpenssl = false;
-        };
        services.openssh = {
          enable = true;
+          package = pkgs.opensshPackages.openssh.override {
+            linkOpenssl = false;
+          };
          hostKeys = [
            { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
          ];
@ -136,11 +136,11 @@ in {
    server-no-pam =
      { pkgs, ... }:
      {
-        programs.ssh.package = pkgs.opensshPackages.openssh.override {
-          withPAM = false;
-        };
        services.openssh = {
          enable = true;
+          package = pkgs.opensshPackages.openssh.override {
+            withPAM = false;
+          };
          settings = {
            UsePAM = false;
          };