From e12337156c35ed2bfd245a995e0e77a6192f94ee Mon Sep 17 00:00:00 2001
From: Vladimir Still <xstill@mail.muni.cz>
Date: Sun, 31 Aug 2014 13:15:39 +0200
Subject: [PATCH 1/4] sshd: Allow to specify ListenAddress.

---
 .../modules/services/networking/ssh/sshd.nix  | 35 +++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix
index e4b29a0b909..3eb646f0750 100644
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@@ -144,6 +144,33 @@ in
         '';
       };
 
+      listenAddresses = mkOption {
+        type = types.listOf types.optionSet;
+        default = [];
+        example = [ { addr = "192.168.3.1"; port = 22; } { addr = "0.0.0.0"; port = 64022; } ];
+        description = ''
+          List of addresses and ports to listen on (ListenAddress directive
+          in config). If port is not specified for address sshd will listen
+          on all ports specified by ports option.
+        '';
+        options = {
+          addr = mkOption {
+            type = types.nullOr types.str;
+            default = null;
+            description = ''
+              Host, IPv4 or IPv6 address to listen to.
+            '';
+          };
+          port = mkOption {
+            type = types.nullOr types.int;
+            default = null;
+            description = ''
+              Port to listen to.
+            '';
+          };
+        };
+      };
+
       passwordAuthentication = mkOption {
         type = types.bool;
         default = true;
@@ -349,6 +376,10 @@ in
           Port ${toString port}
         '') cfg.ports}
 
+        ${concatMapStrings ({ port, addr }: ''
+          ListenAddress ${addr}${if port != null then ":" + toString port else ""}
+        '') cfg.listenAddresses}
+
         ${optionalString cfgc.setXAuthLocation ''
             XAuthLocation ${pkgs.xorg.xauth}/bin/xauth
         ''}
@@ -383,6 +414,10 @@ in
         assertion = (data.publicKey == null && data.publicKeyFile != null) ||
                     (data.publicKey != null && data.publicKeyFile == null);
         message = "knownHost ${name} must contain either a publicKey or publicKeyFile";
+      })
+      ++ flip map cfg.listenAddresses ({ addr, port }: {
+        assertion = addr != null;
+        message = "addr must be spefied in each listenAddresses entry";
       });
 
   };

From ac39d839c3dccb2890b64a3fbe1a28d8aba1007f Mon Sep 17 00:00:00 2001
From: Vladimir Still <xstill@mail.muni.cz>
Date: Sun, 31 Aug 2014 17:21:14 +0200
Subject: [PATCH 2/4] sshd: Add note about firewall and listenAddresses.

---
 nixos/modules/services/networking/ssh/sshd.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix
index 3eb646f0750..9b2f56fa400 100644
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@@ -152,6 +152,8 @@ in
           List of addresses and ports to listen on (ListenAddress directive
           in config). If port is not specified for address sshd will listen
           on all ports specified by ports option.
+          NOTE: setting this option won't automatically enable given ports
+          in firewall configuration.
         '';
         options = {
           addr = mkOption {

From a2394f09c7003efc238eb065afdd57221f6ba257 Mon Sep 17 00:00:00 2001
From: Vladimir Still <xstill@mail.muni.cz>
Date: Mon, 1 Sep 2014 13:02:39 +0200
Subject: [PATCH 3/4] sshd: Add note about listening on port 22 to
 listenAddresses.

---
 nixos/modules/services/networking/ssh/sshd.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix
index 9b2f56fa400..956c31a8ba3 100644
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@@ -151,7 +151,8 @@ in
         description = ''
           List of addresses and ports to listen on (ListenAddress directive
           in config). If port is not specified for address sshd will listen
-          on all ports specified by ports option.
+          on all ports specified by <literal>ports</literal> option.
+          NOTE: this will override default listening on all local addresses and port 22.
           NOTE: setting this option won't automatically enable given ports
           in firewall configuration.
         '';

From 13bbce96c3fefa68cb81f36e171512bf5c84fc31 Mon Sep 17 00:00:00 2001
From: Vladimir Still <xstill@mail.muni.cz>
Date: Tue, 2 Sep 2014 10:06:04 +0200
Subject: [PATCH 4/4] sshd: Fix typo in assetion.

---
 nixos/modules/services/networking/ssh/sshd.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix
index 956c31a8ba3..379dec2e92c 100644
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@@ -420,7 +420,7 @@ in
       })
       ++ flip map cfg.listenAddresses ({ addr, port }: {
         assertion = addr != null;
-        message = "addr must be spefied in each listenAddresses entry";
+        message = "addr must be specified in each listenAddresses entry";
       });
 
   };