Revert "nixos/ssh: disable authorizedKeysInHomedir by default"

nixos/doc/manual/release-notes/rl-2411.section.md

@@ -397,9 +397,6 @@
     * from `/var/log/private/gns3` to `/var/log/gns3`
   and to change the ownership of these directories and their contents to `gns3` (including `/etc/gns3`).
 
-- The `sshd` module now doesn't include `%h/.ssh/authorized_keys` as `AuthorizedKeysFile` unless
-  `services.openssh.authorizedKeysInHomedir` is set to `true` (the default is `false` for `stateVersion` 24.11 onwards).
-
 - Legacy package `stalwart-mail_0_6` was dropped, please note the
   [manual upgrade process](https://github.com/stalwartlabs/mail-server/blob/main/UPGRADING.md)
   before changing the package to `pkgs.stalwart-mail` in

nixos/modules/services/networking/ssh/sshd.nix

@@ -108,10 +108,6 @@ let
 
   };
 
-  usersWithKeys = lib.attrValues (lib.flip lib.filterAttrs config.users.users (n: u:
-    lib.length u.openssh.authorizedKeys.keys != 0 || lib.length u.openssh.authorizedKeys.keyFiles != 0
-  ));
-
   authKeysFiles = let
     mkAuthKeyFile = u: lib.nameValuePair "ssh/authorized_keys.d/${u.name}" {
       mode = "0444";
@@ -120,6 +116,9 @@ let
         ${lib.concatMapStrings (f: lib.readFile f + "\n") u.openssh.authorizedKeys.keyFiles}
       '';
     };
+    usersWithKeys = lib.attrValues (lib.flip lib.filterAttrs config.users.users (n: u:
+      lib.length u.openssh.authorizedKeys.keys != 0 || lib.length u.openssh.authorizedKeys.keyFiles != 0
+    ));
   in lib.listToAttrs (map mkAuthKeyFile usersWithKeys);
 
   authPrincipalsFiles = let
@@ -303,8 +302,7 @@ in
 
       authorizedKeysInHomedir = lib.mkOption {
         type = lib.types.bool;
-        default = lib.versionOlder config.system.stateVersion "24.11";
-        defaultText = lib.literalMD "`false` unless [](#opt-system.stateVersion) is 24.05 or older";
+        default = true;
         description = ''
           Enables the use of the `~/.ssh/authorized_keys` file.
 
@@ -546,17 +544,6 @@ in
 
   config = lib.mkIf cfg.enable {
 
-    warnings = lib.optional (with cfg; lib.all lib.id [
-      # ~/.ssh/authorized_keys is ignored and no custom file locations were set
-      (authorizedKeysFiles == [ "/etc/ssh/authorized_keys.d/%u" ])
-      # no command provides authorized keys
-      (authorizedKeysCommand == "none")
-      # no users have keys in declarative configuration
-      (usersWithKeys == [])
-      # no authentication methods other than public keys are configured
-      ((settings.PasswordAuthentication == false && !package.withKerberos) || settings.AuthenticationMethods == [ "publickey" ])
-    ]) "services.openssh: no keys were set in `users.users.*.openssh.authorizedKeys` and `~/.ssh/authorized_keys` will be ignored";
-
     users.users.sshd =
       {
         isSystemUser = true;

nixos/tests/openssh.nix

@@ -14,10 +14,7 @@ in {
       { ... }:
 
       {
-        services.openssh = {
-          enable = true;
-          authorizedKeysInHomedir = true;
-        };
+        services.openssh.enable = true;
         security.pam.services.sshd.limits =
           [ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ];
         users.users.root.openssh.authorizedKeys.keys = [
@@ -42,11 +39,7 @@ in {
       { ... }:
 
       {
-        services.openssh = {
-          enable = true;
-          startWhenNeeded = true;
-          authorizedKeysInHomedir = true;
-        };
+        services.openssh = { enable = true; startWhenNeeded = true; };
         security.pam.services.sshd.limits =
           [ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ];
         users.users.root.openssh.authorizedKeys.keys = [