diff --git a/system/options.nix b/system/options.nix
index 97b53917f24..6018128459e 100644
--- a/system/options.nix
+++ b/system/options.nix
@@ -480,50 +480,6 @@ in
};
- sshd = {
-
- enable = mkOption {
- default = false;
- description = "
- Whether to enable the Secure Shell daemon, which allows secure
- remote logins.
- ";
- };
-
- forwardX11 = mkOption {
- default = true;
- description = "
- Whether to enable sshd to forward X11 connections.
- ";
- };
-
- allowSFTP = mkOption {
- default = true;
- description = "
- Whether to enable the SFTP subsystem in the SSH daemon. This
- enables the use of commands such as sftp and
- sshfs.
- ";
- };
-
- permitRootLogin = mkOption {
- default = "yes";
- description = "
- Whether the root user can login using ssh. Valid options
- are yes, without-password,
- forced-commands-only or
- no
- ";
- };
-
- gatewayPorts = mkOption {
- default = "no";
- description = "
- Specifies whether remote hosts are allowed to connect to ports forwarded for the client. See man sshd_conf.
- ";
- };
- };
-
lshd = {
enable = mkOption {
@@ -1699,6 +1655,7 @@ in
(import ../upstart-jobs/gw6c.nix) # Gateway6
(import ../upstart-jobs/syslogd.nix)
(import ../upstart-jobs/dhcpd.nix)
+ (import ../upstart-jobs/sshd.nix)
# nix
(import ../upstart-jobs/nix.nix) # nix options and daemon
diff --git a/upstart-jobs/default.nix b/upstart-jobs/default.nix
index 043e82d1c44..f2f48d0e282 100644
--- a/upstart-jobs/default.nix
+++ b/upstart-jobs/default.nix
@@ -141,15 +141,6 @@ let
inherit config;
})
- # SSH daemon.
- ++ optional config.services.sshd.enable
- (import ../upstart-jobs/sshd.nix {
- inherit (pkgs) writeText openssh glibc;
- inherit (pkgs.xorg) xauth;
- inherit nssModulesPath;
- inherit (config.services.sshd) forwardX11 allowSFTP permitRootLogin gatewayPorts;
- })
-
# GNU lshd SSH2 deamon.
++ optional config.services.lshd.enable
(import ../upstart-jobs/lshd.nix {
diff --git a/upstart-jobs/sshd.nix b/upstart-jobs/sshd.nix
index e9b916e81d3..a0764d1177c 100644
--- a/upstart-jobs/sshd.nix
+++ b/upstart-jobs/sshd.nix
@@ -1,14 +1,66 @@
-{ writeText, openssh, glibc, xauth
-, nssModulesPath
-, forwardX11, allowSFTP, permitRootLogin, gatewayPorts
-}:
+{pkgs, config, ...}:
-assert permitRootLogin == "yes" ||
- permitRootLogin == "without-password" ||
- permitRootLogin == "forced-commands-only" ||
- permitRootLogin == "no";
-
+###### interface
let
+ inherit (pkgs.lib) mkOption mkIf;
+
+ options = {
+ services = {
+ sshd = {
+
+ enable = mkOption {
+ default = false;
+ description = "
+ Whether to enable the Secure Shell daemon, which allows secure
+ remote logins.
+ ";
+ };
+
+ forwardX11 = mkOption {
+ default = true;
+ description = "
+ Whether to enable sshd to forward X11 connections.
+ ";
+ };
+
+ allowSFTP = mkOption {
+ default = true;
+ description = "
+ Whether to enable the SFTP subsystem in the SSH daemon. This
+ enables the use of commands such as sftp and
+ sshfs.
+ ";
+ };
+
+ permitRootLogin = mkOption {
+ default = "yes";
+ description = "
+ Whether the root user can login using ssh. Valid options
+ are yes, without-password,
+ forced-commands-only or
+ no
+ ";
+ };
+
+ gatewayPorts = mkOption {
+ default = "no";
+ description = "
+ Specifies whether remote hosts are allowed to connect to ports forwarded for the client. See man sshd_conf.
+ ";
+ };
+ };
+ };
+ };
+
+###### implementation
+
+ inherit (pkgs) writeText openssh;
+
+ cfg = (config.services.sshd);
+
+ nssModules = config.system.nssModules.list;
+
+ nssModulesPath = config.system.nssModules.path;
sshdConfig = writeText "sshd_config" ''
@@ -16,55 +68,68 @@ let
UsePAM yes
- ${if forwardX11 then "
+ ${if cfg.forwardX11 then "
X11Forwarding yes
- XAuthLocation ${xauth}/bin/xauth
+ XAuthLocation ${pkgs.xlibs.xauth}/bin/xauth
" else "
X11Forwarding no
"}
- ${if allowSFTP then "
+ ${if cfg.allowSFTP then "
Subsystem sftp ${openssh}/libexec/sftp-server
" else "
"}
- PermitRootLogin ${permitRootLogin}
- GatewayPorts ${gatewayPorts}
+ PermitRootLogin ${cfg.permitRootLogin}
+ GatewayPorts ${cfg.gatewayPorts}
'';
sshdUid = (import ../system/ids.nix).uids.sshd;
+ assertion = cfg.permitRootLogin == "yes" ||
+ cfg.permitRootLogin == "without-password" ||
+ cfg.permitRootLogin == "forced-commands-only" ||
+ cfg.permitRootLogin == "no";
+
in
-{
- name = "sshd";
- users = [
- { name = "sshd";
- uid = (import ../system/ids.nix).uids.sshd;
- description = "SSH privilege separation user";
- home = "/var/empty";
- }
+mkIf config.services.sshd.enable {
+ require = [
+ options
];
-
- job = ''
- description "SSH server"
- start on network-interfaces/started
- stop on network-interfaces/stop
+ services = {
+ extraJobs = [{
+ name = "sshd";
- env LD_LIBRARY_PATH=${nssModulesPath}
+ users = [
+ { name = "sshd";
+ uid = (import ../system/ids.nix).uids.sshd;
+ description = "SSH privilege separation user";
+ home = "/var/empty";
+ }
+ ];
+
+ job = ''
+ description "SSH server"
- start script
- mkdir -m 0755 -p /etc/ssh
+ start on network-interfaces/started
+ stop on network-interfaces/stop
- if ! test -f /etc/ssh/ssh_host_dsa_key; then
- ${openssh}/bin/ssh-keygen -t dsa -b 1024 -f /etc/ssh/ssh_host_dsa_key -N ""
- fi
- end script
+ env LD_LIBRARY_PATH=${nssModulesPath}
- respawn ${openssh}/sbin/sshd -D -h /etc/ssh/ssh_host_dsa_key -f ${sshdConfig}
- '';
-
+ start script
+ mkdir -m 0755 -p /etc/ssh
+
+ if ! test -f /etc/ssh/ssh_host_dsa_key; then
+ ${openssh}/bin/ssh-keygen -t dsa -b 1024 -f /etc/ssh/ssh_host_dsa_key -N ""
+ fi
+ end script
+
+ respawn ${openssh}/sbin/sshd -D -h /etc/ssh/ssh_host_dsa_key -f ${sshdConfig}
+ '';
+ }];
+ };
}