diff --git a/modules/services/networking/ssh/sshd.nix b/modules/services/networking/ssh/sshd.nix
index e2bda953d72..88d8e5b0c29 100644
--- a/modules/services/networking/ssh/sshd.nix
+++ b/modules/services/networking/ssh/sshd.nix
@@ -1,60 +1,9 @@
{pkgs, config, ...}:
-###### interface
let
+
inherit (pkgs.lib) mkOption mkIf;
-
- options = {
- services = {
- sshd = {
-
- enable = mkOption {
- default = false;
- description = "
- Whether to enable the Secure Shell daemon, which allows secure
- remote logins.
- ";
- };
-
- forwardX11 = mkOption {
- default = true;
- description = "
- Whether to enable sshd to forward X11 connections.
- ";
- };
-
- allowSFTP = mkOption {
- default = true;
- description = "
- Whether to enable the SFTP subsystem in the SSH daemon. This
- enables the use of commands such as sftp and
- sshfs.
- ";
- };
-
- permitRootLogin = mkOption {
- default = "yes";
- description = "
- Whether the root user can login using ssh. Valid options
- are yes, without-password,
- forced-commands-only or
- no
- ";
- };
-
- gatewayPorts = mkOption {
- default = "no";
- description = "
- Specifies whether remote hosts are allowed to connect to ports forwarded for the client. See man sshd_conf.
- ";
- };
- };
- };
- };
-
-###### implementation
-
- inherit (pkgs) writeText openssh;
+ inherit (pkgs) openssh;
cfg = (config.services.sshd);
@@ -62,28 +11,27 @@ let
nssModulesPath = config.system.nssModules.path;
- sshdConfig = writeText "sshd_config" ''
+ sshdConfig = pkgs.writeText "sshd_config"
+ ''
+ Protocol 2
- Protocol 2
-
- UsePAM yes
-
- ${if cfg.forwardX11 then "
- X11Forwarding yes
- XAuthLocation ${pkgs.xlibs.xauth}/bin/xauth
- " else "
- X11Forwarding no
- "}
+ UsePAM yes
- ${if cfg.allowSFTP then "
- Subsystem sftp ${openssh}/libexec/sftp-server
- " else "
- "}
-
- PermitRootLogin ${cfg.permitRootLogin}
- GatewayPorts ${cfg.gatewayPorts}
-
- '';
+ ${if cfg.forwardX11 then "
+ X11Forwarding yes
+ XAuthLocation ${pkgs.xlibs.xauth}/bin/xauth
+ " else "
+ X11Forwarding no
+ "}
+
+ ${if cfg.allowSFTP then "
+ Subsystem sftp ${openssh}/libexec/sftp-server
+ " else "
+ "}
+
+ PermitRootLogin ${cfg.permitRootLogin}
+ GatewayPorts ${cfg.gatewayPorts}
+ '';
# !!! is this assertion evaluated anywhere???
assertion = cfg.permitRootLogin == "yes" ||
@@ -93,44 +41,98 @@ let
in
+{
-mkIf config.services.sshd.enable {
- require = [
- options
- ];
+ ###### interface
+
+ options = {
+
+ services.sshd = {
- users = {
- extraUsers = [
+ enable = mkOption {
+ default = false;
+ description = ''
+ Whether to enable the Secure Shell daemon, which allows secure
+ remote logins.
+ '';
+ };
+
+ forwardX11 = mkOption {
+ default = true;
+ description = ''
+ Whether to allow X11 connections to be forwarded.
+ '';
+ };
+
+ allowSFTP = mkOption {
+ default = true;
+ description = ''
+ Whether to enable the SFTP subsystem in the SSH daemon. This
+ enables the use of commands such as sftp and
+ sshfs.
+ '';
+ };
+
+ permitRootLogin = mkOption {
+ default = "yes";
+ description = ''
+ Whether the root user can login using ssh. Valid values are
+ yes, without-password,
+ forced-commands-only or
+ no.
+ '';
+ };
+
+ gatewayPorts = mkOption {
+ default = "no";
+ description = ''
+ Specifies whether remote hosts are allowed to connect to
+ ports forwarded for the client. See
+ sshd_config
+ 5.
+ '';
+ };
+
+ };
+
+ };
+
+
+ ###### implementation
+
+ config = mkIf config.services.sshd.enable {
+
+ users.extraUsers = pkgs.lib.singleton
{ name = "sshd";
uid = config.ids.uids.sshd;
description = "SSH privilege separation user";
home = "/var/empty";
- }
- ];
- };
+ };
- services = {
- extraJobs = [{
- name = "sshd";
+ jobs = pkgs.lib.singleton
+ { name = "sshd";
- job = ''
- description "SSH server"
+ description = "OpenSSH server";
- start on network-interfaces/started
- stop on network-interfaces/stop
+ startOn = "network-interfaces/started";
+ stopOn = "network-interfaces/stop";
- env LD_LIBRARY_PATH=${nssModulesPath}
+ environment = { LD_LIBRARY_PATH = nssModulesPath; };
- start script
+ preStart =
+ ''
mkdir -m 0755 -p /etc/ssh
if ! test -f /etc/ssh/ssh_host_dsa_key; then
${openssh}/bin/ssh-keygen -t dsa -b 1024 -f /etc/ssh/ssh_host_dsa_key -N ""
fi
- end script
+ '';
+
+ exec = "${openssh}/sbin/sshd -D -h /etc/ssh/ssh_host_dsa_key -f ${sshdConfig}";
+
+ respawn = true;
+ };
- respawn ${openssh}/sbin/sshd -D -h /etc/ssh/ssh_host_dsa_key -f ${sshdConfig}
- '';
- }];
};
+
}
diff --git a/modules/system/upstart/upstart.nix b/modules/system/upstart/upstart.nix
index 6933b71c027..d7c9ecc489a 100644
--- a/modules/system/upstart/upstart.nix
+++ b/modules/system/upstart/upstart.nix
@@ -27,6 +27,8 @@ let
${if job.exec != "" then ''
exec ${job.exec}
'' else ""}
+
+ ${if job.respawn then "respawn" else ""}
'';
in
@@ -155,6 +157,15 @@ in
'';
};
+ respawn = mkOption {
+ type = types.bool;
+ default = true;
+ description = ''
+ Whether to restart the job automatically if its process
+ ends unexpectedly.
+ '';
+ };
+
environment = mkOption {
type = types.attrs;
default = {};