nixos/ssh: apply options after extraConfig

Otherwise, the standard options (e.g. AddressFamily) cannot be overriden in extraConfig, as the option is applied on the first (not most specific) match. Closes #52267
2024-11-01 07:01:54 +00:00 · 2019-01-10 11:40:18 +00:00 · 2019-01-10 11:40:18 +00:00 · de7abf63b8
commit de7abf63b8
parent f7c6e6bbe3
1 changed files with 7 additions and 3 deletions
--- a/nixos/modules/programs/ssh.nix
+++ b/nixos/modules/programs/ssh.nix
@ -88,7 +88,8 @@ in
        type = types.lines;
        default = "";
        description = ''
-          Extra configuration text appended to <filename>ssh_config</filename>.
+          Extra configuration text prepended to <filename>ssh_config</filename>. Other generated
+          options will be added after a <code>Host *</code> pattern.
          See <citerefentry><refentrytitle>ssh_config</refentrytitle><manvolnum>5</manvolnum></citerefentry>
          for help.
        '';
@ -203,6 +204,11 @@ in
    # generation in the sshd service.
    environment.etc."ssh/ssh_config".text =
      ''
+        # Custom options from `extraConfig`, to override generated options
+        ${cfg.extraConfig}
+
+        # Generated options from other settings
+        Host *
        AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}

        ${optionalString cfg.setXAuthLocation ''
@ -213,8 +219,6 @@ in

        ${optionalString (cfg.pubkeyAcceptedKeyTypes != []) "PubkeyAcceptedKeyTypes ${concatStringsSep "," cfg.pubkeyAcceptedKeyTypes}"}
        ${optionalString (cfg.hostKeyAlgorithms != []) "HostKeyAlgorithms ${concatStringsSep "," cfg.hostKeyAlgorithms}"}
-
-        ${cfg.extraConfig}
      '';

    environment.etc."ssh/ssh_known_hosts".text = knownHostsText;