nixos/ssh: expose StreamLocalBindUnlink sshd config option #48447
Conversation
Needed on the server side for forwarding GnuPG agent connections over ssh to behave properly.
| @@ -110,6 +110,15 @@ in | |||
| ''; | |||
| }; | |||
|
|
|||
| streamLocalBindUnlink = mkOption { | |||
| type = types.enum ["yes" "no"]; | |||
| default = "no"; | |||
There was a problem hiding this comment.
How about using types.bool instead
There are reasons for not always directly exposing all options. Exposing all options adds code bloat, takes maintenance, and will typically lag the options provided by the tool. Of course, adding them does allow for (additional) validation. |
|
Hmm. The internal motivation that led to this PR being offered was forwards compatibility: If I added the flag to my configuration using If it's not likely to ever be accepted, then that motivation goes away. |
|
On further consideration, I consider @FRidh's argument compelling, and am withdrawing this PR. |
Motivation for this change
This option is needed on the server side for forwarding GnuPG agent connections over ssh to behave properly. With the option in question set, the directions given in https://wiki.gnupg.org/AgentForwarding work properly when connecting from a SSH client (with a hardware keystore accessible to the local agent) to a NixOS-based server (performing operations which requires those keys).
While this could otherwise be manually enabled by users using
config.services.openssh.extraConfig, having high-utility functionality that depends on this flag being set to a non-default value argues in favor of exposing it directly.Things done
nixos-rebuild build-vm, and validatingssh -Twithin that guest.sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)nix path-info -Sbefore and after)