[Nix-dev] [PATCH] authorized_keys in users.extraUsers

Nicolas Pierron nicolas.b.pierron at gmail.com
Wed Oct 19 01:21:02 CEST 2011 

Hi Rickard,

On Tue, Oct 18, 2011 at 00:40, Rickard Nilsson
<rickard.nilsson at telia.com> wrote:
> Hi,
>
> Den 2011-10-17 14:04:46 skrev Nicolas Pierron <nicolas.b.pierron at gmail.com>:
>
>> Hi,
>>
>> On Sun, Oct 16, 2011 at 21:28, Rickard Nilsson
>> <rickard.nilsson at telia.com> wrote:
>>>
>>> I've written a patch to users-groups.nix that allows me to specify the
>>> contents of a users ~/.ssh/authorized_keys file like this:
>>>
>>>  users.extraUsers = [
>>>   { name = "myuser";
>>>     description = "";
>>>     group = "users";
>>>     home = "/home/myuser";
>>>     createHome = true;
>>>     useDefaultShell = true;
>>>     authorizedKeyFiles = [
>>>       "/etc/secrets/someotheruser.id_dsa.pub"
>>>     ];
>>>   }
>>>  ];
>>>
>>>
>>> I can also specify keys directly with the authorizedKeys attribute,
>>> instead
>>> of referring files. If there are existing keys in authorized_keys they
>>> will
>>> be left alone.
>>>
>>> Is this something that others find useful? Does it make sense to put it
>>> in
>>> users.extraUsers, or is it too messy? Maybe there is a place for a more
>>> general home.<username>.authorizedKeys configuration? What do you think?
>>
>> I think users.<name?>.authorizedKeys is good place for configuring it.
>>  But I guess you did not put the modifications into sshd.nix
>> expression.  So you will have to extend the users option from another
>> module because the .ssh/authorized_keys is related to sshd.  (see
>> loaOf/attrsOf in nixpkgs/pkgs/lib/types.nix) Upstart & filesystems are
>> already doing such a thing.
>
> I'm not sure I understand. Do you say that I should put the modification
> into sshd.nix? It does sound reasonable to me, so I went ahead and tried
> it, looking for inspiration in upstart and filesystems. However, how can
> I extend the existing "users.*" configuration? I tried adding the
> following to sshd.nix:

This is the way to proceed, may be the error messages are not
extremelly explicit about the corner cases.  Not many users end-up
working with such (nice) features of the NixOS module system.  I am
happy to see that you are going into the right way with a few examples
:)

>    users = mkOption {
>      default = {};
>      description = ''
>      '';
>      type = types.loaOf types.optionSet;
>      options = [ usersOptions ];
>    };
>
> However, this made Nix complain about types. If I renamed "users" to
> something that isn't already defined it worked fine though.

You should not redefine the type, default and the description.  Such
things are only accepted once per option declarations.

The following should work, any changes of the type should be done in
the original declaration.

   users = mkOption {
     options = [ usersOptions ];
   };


-- 
Nicolas Pierron
http://www.linkedin.com/in/nicolasbpierron - http://nbp.name/

More information about the nix-dev mailing list