mirror of
https://github.com/NixOS/nixpkgs
synced 2024-10-23 07:10:39 -04:00
89ef5c979b
machine containing a replica (minus the state) of the system configuration. This is mostly useful for testing configuration changes prior to doing an actual "nixos-rebuild switch" (or even "nixos-rebuild test"). The VM can be started as follows: $ nixos-rebuild build-vm $ ./result/bin/run-*-vm which starts a KVM/QEMU instance. Additional QEMU options can be passed through the QEMU_OPTS environment variable (e.g. QEMU_OPTS="-redir tcp:8080::80" to forward a host port to the guest). The fileSystem attribute of the regular system configuration is ignored (using mkOverride), because obviously we can't allow the VM to access the host's block devices. Instead, at startup the VM creates an empty disk image in ./<hostname>.qcow2 to store the VM's root filesystem. Building a VM in this way is efficient because the VM shares its Nix store with the host (through a CIFS mount). However, because the Nix store of the host is mounted read-only in the guest, you cannot run Nix build actions inside the VM. Therefore the VM can only be reconfigured by re-running "nixos-rebuild build-vm" on the host and restarting the VM. svn path=/nixos/trunk/; revision=16662
137 lines
3.1 KiB
Nix
137 lines
3.1 KiB
Nix
{pkgs, config, ...}:
|
|
|
|
let
|
|
|
|
inherit (pkgs.lib) mkOption mkIf;
|
|
inherit (pkgs) openssh;
|
|
|
|
cfg = config.services.sshd;
|
|
|
|
nssModulesPath = config.system.nssModules.path;
|
|
|
|
sshdConfig = pkgs.writeText "sshd_config"
|
|
''
|
|
Protocol 2
|
|
|
|
UsePAM yes
|
|
|
|
${if cfg.forwardX11 then "
|
|
X11Forwarding yes
|
|
XAuthLocation ${pkgs.xlibs.xauth}/bin/xauth
|
|
" else "
|
|
X11Forwarding no
|
|
"}
|
|
|
|
${if cfg.allowSFTP then "
|
|
Subsystem sftp ${openssh}/libexec/sftp-server
|
|
" else "
|
|
"}
|
|
|
|
PermitRootLogin ${cfg.permitRootLogin}
|
|
GatewayPorts ${cfg.gatewayPorts}
|
|
'';
|
|
|
|
# !!! is this assertion evaluated anywhere???
|
|
assertion = cfg.permitRootLogin == "yes" ||
|
|
cfg.permitRootLogin == "without-password" ||
|
|
cfg.permitRootLogin == "forced-commands-only" ||
|
|
cfg.permitRootLogin == "no";
|
|
|
|
in
|
|
|
|
{
|
|
|
|
###### interface
|
|
|
|
options = {
|
|
|
|
services.sshd = {
|
|
|
|
enable = mkOption {
|
|
default = false;
|
|
description = ''
|
|
Whether to enable the Secure Shell daemon, which allows secure
|
|
remote logins.
|
|
'';
|
|
};
|
|
|
|
forwardX11 = mkOption {
|
|
default = true;
|
|
description = ''
|
|
Whether to allow X11 connections to be forwarded.
|
|
'';
|
|
};
|
|
|
|
allowSFTP = mkOption {
|
|
default = true;
|
|
description = ''
|
|
Whether to enable the SFTP subsystem in the SSH daemon. This
|
|
enables the use of commands such as <command>sftp</command> and
|
|
<command>sshfs</command>.
|
|
'';
|
|
};
|
|
|
|
permitRootLogin = mkOption {
|
|
default = "yes";
|
|
description = ''
|
|
Whether the root user can login using ssh. Valid values are
|
|
<literal>yes</literal>, <literal>without-password</literal>,
|
|
<literal>forced-commands-only</literal> or
|
|
<literal>no</literal>.
|
|
'';
|
|
};
|
|
|
|
gatewayPorts = mkOption {
|
|
default = "no";
|
|
description = ''
|
|
Specifies whether remote hosts are allowed to connect to
|
|
ports forwarded for the client. See
|
|
<citerefentry><refentrytitle>sshd_config</refentrytitle>
|
|
<manvolnum>5</manvolnum></citerefentry>.
|
|
'';
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
###### implementation
|
|
|
|
config = mkIf config.services.sshd.enable {
|
|
|
|
users.extraUsers = pkgs.lib.singleton
|
|
{ name = "sshd";
|
|
uid = config.ids.uids.sshd;
|
|
description = "SSH privilege separation user";
|
|
home = "/var/empty";
|
|
};
|
|
|
|
jobs = pkgs.lib.singleton
|
|
{ name = "sshd";
|
|
|
|
description = "OpenSSH server";
|
|
|
|
startOn = "network-interfaces/started";
|
|
stopOn = "network-interfaces/stop";
|
|
|
|
environment = { LD_LIBRARY_PATH = nssModulesPath; };
|
|
|
|
preStart =
|
|
''
|
|
mkdir -m 0755 -p /etc/ssh
|
|
|
|
if ! test -f /etc/ssh/ssh_host_dsa_key; then
|
|
${openssh}/bin/ssh-keygen -t dsa -b 1024 -f /etc/ssh/ssh_host_dsa_key -N ""
|
|
fi
|
|
'';
|
|
|
|
exec = "${openssh}/sbin/sshd -D -h /etc/ssh/ssh_host_dsa_key -f ${sshdConfig}";
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [22];
|
|
|
|
};
|
|
|
|
}
|