nixos/ssh: add crypto options #41798
Conversation
|
Is there a nice benefit to using the structured form here, compared to the extraConfig? |
|
It seems to me that it looks better. Also, the user can see the description here https://nixos.org/nixos/options.html#programs.ssh. and apply it in your config |
|
👍 on crypto options (since ssh is about crypto), I would even go as far as to turn all the crypto stuff we hardcode now into options.
👎 on everything else (bloat, `man ssh` has a ton more useful options, should we add them too?).
While I agree that those `TCPKeepAlive` and etc options are nice, if I were you I would add them and maybe others as examples to `extraConfig` option instead.
Also, I feel like the usual convention on defaults with values that are not to be overridden by nix is to set them to `null`s not to valid values of the target type like `[]` and `3`.
Also, links between options should use "<option>" tag, not "see below". Options can be sorted pretty arbitrarily in the manual.
|
|
@oxij variant with kexAlgorithms set to null not worked, error - |
|
type error
The type needs to be `types.nullOr (types.listOf types.str)` for that.
I don't plan ...
But what is your criteria for adding something from `man ssh` to the nixos module? Usefulness at this moment?
NixOS is a fairly paranoid distro so we have a lot of crypto options already and adding some more wouldn't be out of style (and unhardcoding hardcoded ones would even be useful).
On the other hand, adding service bloat for some arbitrary set of options feels counterproductive to me.
I feel like what you really want here is pieces of `man ssh` documentation in `man configuration.nix` (aka Ted Nelson's Xanadu-style hypertext) which, indeed, is very useful. What is needed here is another generic hypertext mechanism like `relatedPackages`, not copy-paste bloat.
|
Izorkin
force-pushed
the
ssh-custom
branch
3 times, most recently
from
d721e44
to
8d79b0b
Compare
Honest question: what are ever the criteria? Is there a guideline? It seems like every module in the whole OS is subject to an arbitrary decision on how much of the configuration space to support "properly". Most modules of significant complexity seem not to support it all. I've always seen deferring of module options to an What are the downsides? Worry about maintenance? Or does it bog down Hydra or something too? |
|
policy
I'm not aware of any official policy, but I usually try to do this:
- things that don't have default values get their options,
- things overridden from their defaults by NixOS get options,
- nothing else gets an option unless it is used in generation from a
declarative configuration in some way or is hard to specify with `extraConfig`.
downsides
- Code bloat (KISS!).
- Maintenance of sync of descriptions between the mans of tool(section) and configuration.nix(5).
- Maintenance of default values overridden by the thing.
- Longer configuration.nix(5) manual, longer build system times.
Let me remind you that if you really want those options there in the manual you can define them and generate `extraConfig` from them and `ssh.enable` in _any_ nix file required from your configuration. I.e. you don't need to push those changes into NixOS core to use them. Personally, I do that a lot.
|
Izorkin
force-pushed
the
ssh-custom
branch
2 times, most recently
from
4e3b5bd
to
8791dab
Compare
|
If you write a script which translates sshd options into NixOS options, I think that would be something more people would welcome (at least, I would), but just adding code duplication (the ssh people already wrote that code) doesn't solve anything. It's not as if NixOS would continue to support module options if the underlying tool would have removed it. As such for options for which NixOS cannot guarantee its continued support, manually created options don't make sense. |
|
@Izorkin considering a few of these options have been implemented now and it seems unlikely the others will can we close this PR? |
|
@aanderse, which options have been implemented? I've checked the code, and I don't see any changes to implement the options. |
|
@Izorkin |
|
This optins in openssh server. Such options are available for the openssh client. |
|
@aanderse this variant normall? |
|
I'm not sure if @oxij just meant |
|
preferredAuthentications removed. |
|
This pull request has been mentioned on Nix community. There might be relevant details there: https://discourse.nixos.org/t/prs-ready-for-review-may-2019/3032/15 |
|
Example ssh config after this PR: |
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
There was a problem hiding this comment.
diff LGTM
brings client ssh into feature parity with the openssh daemon
cc @infinisil for final look-over
Motivation for this change
Add custom options - PreferredAuthentications, KexAlgorithms, Ciphers, MACs.
Things done
sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)This change is