[Nix-dev] [PATCH] authorized_keys in users.extraUsers

Rickard Nilsson rickard.nilsson at telia.com
Tue Oct 18 00:40:22 CEST 2011 

Hi,

Den 2011-10-17 14:04:46 skrev Nicolas Pierron  
<nicolas.b.pierron at gmail.com>:

> Hi,
>
> On Sun, Oct 16, 2011 at 21:28, Rickard Nilsson
> <rickard.nilsson at telia.com> wrote:
>> I've written a patch to users-groups.nix that allows me to specify the
>> contents of a users ~/.ssh/authorized_keys file like this:
>>
>>  users.extraUsers = [
>>    { name = "myuser";
>>      description = "";
>>      group = "users";
>>      home = "/home/myuser";
>>      createHome = true;
>>      useDefaultShell = true;
>>      authorizedKeyFiles = [
>>        "/etc/secrets/someotheruser.id_dsa.pub"
>>      ];
>>    }
>>  ];
>>
>>
>> I can also specify keys directly with the authorizedKeys attribute,  
>> instead
>> of referring files. If there are existing keys in authorized_keys they  
>> will
>> be left alone.
>>
>> Is this something that others find useful? Does it make sense to put it  
>> in
>> users.extraUsers, or is it too messy? Maybe there is a place for a more
>> general home.<username>.authorizedKeys configuration? What do you think?
>
> I think users.<name?>.authorizedKeys is good place for configuring it.
>  But I guess you did not put the modifications into sshd.nix
> expression.  So you will have to extend the users option from another
> module because the .ssh/authorized_keys is related to sshd.  (see
> loaOf/attrsOf in nixpkgs/pkgs/lib/types.nix) Upstart & filesystems are
> already doing such a thing.

I'm not sure I understand. Do you say that I should put the modification
into sshd.nix? It does sound reasonable to me, so I went ahead and tried
it, looking for inspiration in upstart and filesystems. However, how can
I extend the existing "users.*" configuration? I tried adding the
following to sshd.nix:

     users = mkOption {
       default = {};
       description = ''
       '';
       type = types.loaOf types.optionSet;
       options = [ usersOptions ];
     };

However, this made Nix complain about types. If I renamed "users" to
something that isn't already defined it worked fine though.


Best regards,
   Rickard Nilsson

More information about the nix-dev mailing list