From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id MGK3JNvHpGIVUwAAbAwnHQ (envelope-from ) for ; Sat, 11 Jun 2022 18:50:35 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id OPKDJNvHpGL9XAEAauVa8A (envelope-from ) for ; Sat, 11 Jun 2022 18:50:35 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 8C2428A71 for ; Sat, 11 Jun 2022 18:50:34 +0200 (CEST) Received: from localhost ([::1]:41910 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1o04Jl-00006A-8Z for larch@yhetil.org; Sat, 11 Jun 2022 12:50:33 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:42488) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1o04JG-00004z-N0 for guix-patches@gnu.org; Sat, 11 Jun 2022 12:50:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:59914) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1o04JG-0005C3-DB for guix-patches@gnu.org; Sat, 11 Jun 2022 12:50:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1o04JG-00017D-An for guix-patches@gnu.org; Sat, 11 Jun 2022 12:50:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#55912] [PATCH] home: Add OpenSSH service. Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 11 Jun 2022 16:50:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 55912 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 55912@debbugs.gnu.org Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.16549661924265 (code B ref -1); Sat, 11 Jun 2022 16:50:02 +0000 Received: (at submit) by debbugs.gnu.org; 11 Jun 2022 16:49:52 +0000 Received: from localhost ([127.0.0.1]:53811 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1o04J0-00016c-Sj for submit@debbugs.gnu.org; Sat, 11 Jun 2022 12:49:52 -0400 Received: from lists.gnu.org ([209.51.188.17]:49200) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1o04Iy-00016U-1Y for submit@debbugs.gnu.org; Sat, 11 Jun 2022 12:49:45 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:42440) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1o04Ix-0008Oo-Ji for guix-patches@gnu.org; Sat, 11 Jun 2022 12:49:43 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:58464) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1o04Ix-0005Am-B9; Sat, 11 Jun 2022 12:49:43 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:Subject:To:From:in-reply-to: references; bh=FhnJw00ruLaV2bU8zamM1yICBHZw/fHEJXIoATzMORA=; b=e+Aygpl0lzXv6W Bn5jd44usdbKjLaIqEP32yZOq5Ml1053C15NfpiPvEhCv0uuZ1ZUnMMq6JRAnQj8DpOE0fN7DxrgE kKZuEbZQmpp5ChS53aVLFQIdRiFlDF0E44MJgMepD3iNjhm8aTZP5JWtumQviBJrD58R7YAoDkVRf DZAP5YvMbJ7+gPvBV+KymB5m9P6pvWFcfTBZkLGHxX+tuzuVqSdWFK7DWEN66ccfKKqzDZGYly9tf GWT1yuuq7a1v2I343DlcVpy2iEHb1HZAn9nk15QRmg3xR8xbiI11r0jNFRg42qXaWPbEKDS2LigE+ wak1T+gYcteWQUlxLbGQ==; Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201]:55639 helo=gnu.org) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1o04Iu-0002Fc-VK; Sat, 11 Jun 2022 12:49:42 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Date: Sat, 11 Jun 2022 18:49:31 +0200 Message-Id: <20220611164931.21953-1-ludo@gnu.org> X-Mailer: git-send-email 2.36.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1654966235; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=FhnJw00ruLaV2bU8zamM1yICBHZw/fHEJXIoATzMORA=; b=XDVilurLDZdMsgBjvm+YjbBIzlrC7ksvjOVYT5rXQR5gLo+44kyfki6o2yn1C3IsUZHCEl B19yhfnQWemWk5Gvsu1hDfImGUmDkoICrYJE4pS6h1ral2Zlew3gX1lwqjnI/uBtIuecN7 VZCQFZ15KuadKRRJBTURrjyn2sRY6cKxol9QW8HUb7sAm4VssPaInGu/R9D5NLDDCApEkC aa5sJUTs5OHs4nas9OG42DKDx7xE98aRMSRXzNvUYyqSGAsMTpUv1Jy3eVFnvJd1qrGbYm Hthfd3iMoKYZ58bCR45svpfQrESfJnx88sHvzVxYnFnVkb4Rgzur5Uyr0+k2TQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1654966235; a=rsa-sha256; cv=none; b=OFoQYfSNPLcnmv+hWxqlBEPDCJE7qpfOct/eOmNP8C/PnMpEuYH6/THp56kiL5hPdfwp6Z dfeGeXvIb7vtaIE3zDWjyhHZzbTryY3Su5hqmXTdJ8bU2Z5cWPDYgbUtER1BH2Z49XTs+9 51xN68uzc4vou9xa4QX1bYfheJd8bluIALr8KVSkyRIh+6ASLkSQTuBM30Dfb2w3iCXxkC eHhF1GDlwAuRXU7kgcmVuDOsnFR0ZyTWQdJmNG8I21D/rQx18JViltc+oSVVbkIk+0ChrN Wp44Lfz2W09ZhaZjv04jeJIQ2AVLeBok7K5TFTeu6fUoXDBvQ3yfZKugeJbQ8Q== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b=e+Aygpl0; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -1.68 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b=e+Aygpl0; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 8C2428A71 X-Spam-Score: -1.68 X-Migadu-Scanner: scn0.migadu.com X-TUID: f4eCpl8+tJSE * gnu/home/services/ssh.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add it. * po/guix/POTFILES.in: Add it. * doc/guix.texi (Secure Shell): New section. --- doc/guix.texi | 183 +++++++++++++++++++++++++++- gnu/home/services/ssh.scm | 250 ++++++++++++++++++++++++++++++++++++++ gnu/local.mk | 1 + po/guix/POTFILES.in | 1 + 4 files changed, 434 insertions(+), 1 deletion(-) create mode 100644 gnu/home/services/ssh.scm Hi! Here’s an OpenSSH Home service, loosely inspired by what Julien had implemented at: https://framagit.org/tyreunom/guix-home-manager/-/blob/master/home/ssh.scm One thing I wasn’t sure about was how to handle ~/.ssh/known_hosts. To lower the barrier to entry, I added an option to keep handling it in a stateful way (with ‘ssh’ updating the file as it sees fit), and I made that the default. I toyed with other approaches. In particular, just like Julien’s module had , I tried doing that and going further so one could write: (openssh-host-key ssh-rsa "AAAAE2VjZHNhLX…") and arrange so that (1) the host key algorithm is validated (a typo would be reported at macro-expansion time), and (2) the string is base64-decoded, similar to what is done for origins. But then, while this is perhaps The Right Thing, I though it could be too inconvenient to use: users would have to convert what ‘ssh’ gives them into this format. Sure, that’d give them data validation in return, but that’s probably too little for too high a cost. So I sticked to something simpler that allows users to pass files as-is in ‘known-hosts’ and ‘authorized-keys’ (note that ‘authorized-keys’ in also works that way, so it’s consistent). Thoughts? Thanks, Ludo’. diff --git a/doc/guix.texi b/doc/guix.texi index ea133d519a..831b8fa7c0 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -38899,6 +38899,7 @@ services)}. * Shells: Shells Home Services. POSIX shells, Bash, Zsh. * Mcron: Mcron Home Service. Scheduled User's Job Execution. * Shepherd: Shepherd Home Service. Managing User's Daemons. +* SSH: Secure Shell. Setting up the secure shell client. * Desktop: Desktop Home Services. Services for graphical environments. @end menu @c In addition to that Home Services can provide @@ -39219,7 +39220,7 @@ GNU@tie{}mcron, a daemon to run jobs at scheduled times (@pxref{Top,,, mcron, GNU@tie{}mcron}). The information about system's mcron is applicable here (@pxref{Scheduled Job Execution}), the only difference for home services is that they have to be declared in a -@code{home-envirnoment} record instead of an @code{operating-system} +@code{home-environment} record instead of an @code{operating-system} record. @defvr {Scheme Variable} home-mcron-service-type @@ -39287,6 +39288,186 @@ mechanism instead (@pxref{Shepherd Services}). @end table @end deftp +@node Secure Shell +@subsection Secure Shell + +@cindex secure shell client, configuration +@cindex SSH client, configuration +The @uref{https://www.openssh.com, OpenSSH package} includes a client, +the @command{ssh} command, that allows you to connect to remote machines +using the @acronym{SSH, secure shell} protocol. With the @code{(gnu +home services ssh)} module, you can set up OpenSSH so that it works in a +predictable fashion, almost independently of state on the local machine. +To do that, you instantiate @code{home-openssh-service-type} in your +Home configuration, as explained below. + +@defvr {Scheme Variable} home-openssh-service-type +This is the type of the service to set up the OpenSSH client. It takes +care of several things: + +@itemize +@item +adding the @code{openssh} package to your profile so the @command{ssh} +command is readily available; + +@item +providing a @file{~/.ssh/config} file based on your configuration so +that @command{ssh} knows about hosts you regularly connect to and their +associated parameters; + +@item +providing a @file{~/.ssh/authorized_keys}, which lists public keys that +the local SSH server, @command{sshd}, may accept to connect to this user +account; + +@item +optionally providing a @file{~/.ssh/known_hosts} file so that @file{ssh} +can authenticate hosts you connect to. +@end itemize + +Here is a sample configuration you could add to the @code{services} +field of your @code{home-environment}: + +@lisp +(home-openssh-configuration + (hosts (list (openssh-host (name "ci.guix.gnu.org") + (user "charlie")) + (openssh-host (name "chbouib") + (host-name "chbouib.example.org") + (user "supercharlie") + (port 10022)))) + (authorized-keys (list (local-file "alice.pub")))) +@end lisp + +The example above lists two hosts and their parameters. For instance, +running @command{ssh chbouib} will automatically connect to +@code{chbouib.example.org} on port 10022, logging in as user +@samp{supercharlie}. Further, it marks the public key in +@file{alice.pub} as authorized for incoming connections. + +The value associated with a @code{home-openssh-service-type} instance +must be a @code{home-openssh-configuration} record, as describe below. +@end defvr + +@deftp {Data Type} home-openssh-configuration +This is the datatype representing the OpenSSH client and server +configuration in one's home environment. It contains the following +fields: + +@table @asis +@item @code{openssh} (default: @code{openssh}) +The OpenSSH package to add to the environment's profile. + +@item @code{hosts} (default: @code{'()}) +A list of @code{openssh-host} records specifying host names and +associated connection parameters (see below). This host list goes into +@file{~/.ssh/config}, which @command{ssh} reads at startup. + +@item @code{known-hosts} (default: @code{*unspecified*}) +This must be either: + +@itemize +@item +@code{*unspecified*}, in which case @code{home-openssh-service-type} +leaves it up to @command{ssh} and to the user to maintain the list of +known hosts at @file{~/.ssh/known_hosts}, or + +@item +a list of file-like objects, in which case those are concatenated and +emitted as @file{~/.ssh/known_hosts}. +@end itemize + +The @file{~/.ssh/known_hosts} contains a list of host name/host key +pairs that allow @command{ssh} to authenticate hosts you connect to and +to detect possible impersonation attacks. By default, @command{ssh} +updates it in a @dfn{TOFU, trust-on-first-use} fashion, meaning that it +records the host's key in that file the first time you connect to it. +This behavior is preserved when @code{known-hosts} is set to +@code{*unspecified*}. + +If you instead provide a list of host keys upfront in the +@code{known-hosts} field, your configuration becomes self-contained and +stateless: it can be replicated elsewhere or at another point in time. +Preparing this list can be relatively tedious though, which is why +@code{*unspecified*} is kept as a default. + +@item @code{authorized-keys} (default: @code{'()}) +This must be a list of file-like objects, each of which containing an +SSH public key that should be authorized to connect to this machine. + +Concretely, these files are concatenated and made available as +@file{~/.ssh/authorized_keys}. If an OpenSSH server, @command{sshd}, is +running on this machine, then it @emph{may} take this file into account: +this is what @command{sshd} does by default, but be aware that it can +also be configured to ignore it. +@end table +@end deftp + +@c %start of fragment + +@deftp {Data Type} openssh-host +Available @code{openssh-host} fields are: + +@table @asis +@item @code{name} (type: string) +Name of this host declaration. + +@item @code{host-name} (default: @code{disabled}) (type: maybe-string) +Host name---e.g., @code{"foo.example.org"} or @code{"192.168.1.2"}. + +@item @code{address-family} (type: address-family) +Address family to use when connecting to this host: one of +@code{AF_INET} (for IPv4 only), @code{AF_INET6} (for IPv6 only), or +@code{*unspecified*} (allowing any address family). + +@item @code{identity-file} (default: @code{disabled}) (type: maybe-string) +The identity file to use---e.g., @code{"/home/charlie/.ssh/id_ed25519"}. + +@item @code{port} (default: @code{disabled}) (type: maybe-integer) +TCP port number to connect to. + +@item @code{user} (default: @code{disabled}) (type: maybe-string) +User name on the remote host. + +@item @code{forward-x11?} (default: @code{#f}) (type: boolean) +Whether to forward remote client connections to the local X11 graphical +display. + +@item @code{forward-x11-trusted?} (default: @code{#f}) (type: boolean) +Whether remote X11 clients have full access to the original X11 +graphical display. + +@item @code{forward-agent?} (default: @code{#f}) (type: boolean) +Whether the authentication agent (if any) is forwarded to the remote +machine. + +@item @code{compression?} (default: @code{#f}) (type: boolean) +Whether to compress data in transit. + +@item @code{proxy-command} (default: @code{disabled}) (type: maybe-string) +The command to use to connect to the server. As an example, a command +to connect via an HTTP proxy at 192.0.2.0 would be: @code{"nc -X connect +-x 192.0.2.0:8080 %h %p"}. + +@item @code{host-key-algorithms} (default: @code{disabled}) (type: maybe-string-list) +The list of accepted host key algorithms---e.g., +@code{'("ssh-ed25519")}. + +@item @code{accepted-key-types} (default: @code{disabled}) (type: maybe-string-list) +The list of accepted user public key types. + +@item @code{extra-content} (default: @code{""}) (type: raw-configuration-string) +Extra content appended as-is to this @code{Host} block in +@file{~/.ssh/config}. + +@end table + +@end deftp + + +@c %end of fragment + + @node Desktop Home Services @subsection Desktop Home Services diff --git a/gnu/home/services/ssh.scm b/gnu/home/services/ssh.scm new file mode 100644 index 0000000000..162d7df960 --- /dev/null +++ b/gnu/home/services/ssh.scm @@ -0,0 +1,250 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2022 Ludovic Courtès +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu home services ssh) + #:use-module (guix gexp) + #:use-module (guix records) + #:use-module (guix diagnostics) + #:use-module (guix i18n) + #:use-module (gnu services) + #:use-module (gnu services configuration) + #:use-module (guix modules) + #:use-module (gnu home services) + #:use-module ((gnu home services utils) + #:select (object->camel-case-string)) + #:autoload (gnu packages ssh) (openssh) + #:use-module (srfi srfi-1) + #:use-module (srfi srfi-34) + #:use-module (ice-9 match) + #:export (home-openssh-configuration + home-openssh-configuration-authorized-keys + home-openssh-configuration-known-hosts + home-openssh-configuration-hosts + + openssh-host + openssh-host-host-name + openssh-host-identity-file + openssh-host-name + openssh-host-port + openssh-host-user + openssh-host-forward-x11? + openssh-host-forward-x11-trusted? + openssh-host-forward-agent? + openssh-host-compression? + openssh-host-proxy-command + openssh-host-host-key-algorithms + openssh-host-accepted-key-types + openssh-host-extra-content + + home-openssh-service-type)) + +(define (serialize-field-name name) + (match name + ('accepted-key-types "PubkeyAcceptedKeyTypes") + (_ + (let ((name (let ((str (symbol->string name))) + (if (string-suffix? "?" str) + (string->symbol (string-drop-right str 1)) + name)))) + (object->camel-case-string name 'upper))))) + +(define (serialize-string field value) + (string-append " " (serialize-field-name field) + " " value "\n")) + +(define (address-family? obj) + (memv obj (list *unspecified* AF_INET AF_INET6))) + +(define (serialize-address-family field family) + (if (unspecified? family) + "" + (string-append " " (serialize-field-name field) " " + (cond ((= family AF_INET) "inet") + ((= family AF_INET6) "inet6") + (else + (raise + (formatted-message + (G_ "~s: unsupported address family") + family)))) + "\n"))) + +(define (serialize-integer field value) + (string-append " " (serialize-field-name field) " " + (number->string value) "\n")) + +(define (serialize-boolean field value) + (string-append " " (serialize-field-name field) " " + (if value "yes" "no") "\n")) + +(define-maybe string) +(define-maybe integer) + +(define (serialize-raw-configuration-string field value) + (string-append value "\n")) +(define raw-configuration-string? string?) + +(define (string-list? lst) + (and (pair? lst) (every string? lst))) +(define (serialize-string-list field lst) + (string-append " " (serialize-field-name field) " " + (string-join lst ",") "\n")) + +(define-maybe string-list) + +(define-configuration openssh-host + (name + (string) + "Name of this host declaration.") + (host-name + (maybe-string 'disabled) + "Host name---e.g., @code{\"foo.example.org\"} or @code{\"192.168.1.2\"}.") + (address-family + (address-family *unspecified*) + "Address family to use when connecting to this host: one of +@code{AF_INET} (for IPv4 only), @code{AF_INET6} (for IPv6 only), or +@code{*unspecified*} (allowing any address family).") + (identity-file + (maybe-string 'disabled) + "The identity file to use---e.g., +@code{\"/home/charlie/.ssh/id_ed25519\"}.") + (port + (maybe-integer 'disabled) + "TCP port number to connect to.") + (user + (maybe-string 'disabled) + "User name on the remote host.") + (forward-x11? + (boolean #f) + "Whether to forward remote client connections to the local X11 graphical +display.") + (forward-x11-trusted? + (boolean #f) + "Whether remote X11 clients have full access to the original X11 graphical +display.") + (forward-agent? + (boolean #f) + "Whether the authentication agent (if any) is forwarded to the remote +machine.") + (compression? + (boolean #f) + "Whether to compress data in transit.") + (proxy-command + (maybe-string 'disabled) + "The command to use to connect to the server. As an example, a command +to connect via an HTTP proxy at 192.0.2.0 would be: @code{\"nc -X +connect -x 192.0.2.0:8080 %h %p\"}.") + (host-key-algorithms + (maybe-string-list 'disabled) + "The list of accepted host key algorithms---e.g., +@code{'(\"ssh-ed25519\")}.") + (accepted-key-types + (maybe-string-list 'disabled) + "The list of accepted user public key types.") + (extra-content + (raw-configuration-string "") + "Extra content appended as-is to this @code{Host} block in +@file{~/.ssh/config}.")) + +(define (serialize-openssh-host config) + (define (openssh-host-name-field? field) + (eq? (configuration-field-name field) 'name)) + + (string-append + "Host " (openssh-host-name config) "\n" + (string-concatenate + (map (lambda (field) + ((configuration-field-serializer field) + (configuration-field-name field) + ((configuration-field-getter field) config))) + (remove openssh-host-name-field? + openssh-host-fields))))) + +(define-record-type* + home-openssh-configuration make-home-openssh-configuration + home-openssh-configuration? + (openssh home-openssh-configuration-openssh ;file-like + (default openssh)) + (authorized-keys home-openssh-configuration-authorized-keys ;list of file-like + (default '())) + (known-hosts home-openssh-configuration-known-hosts ;unspec | list of file-like + (default *unspecified*)) + (hosts home-openssh-configuration-hosts ;list of + (default '()))) + +(define (openssh-configuration->string config) + (string-join (map serialize-openssh-host + (home-openssh-configuration-hosts config)) + "\n")) + +(define* (file-join name files #:optional (delimiter " ")) + "Return a file in the store called @var{name} that is the concatenation +of all the file-like objects listed in @var{files}, with @var{delimited} +inserted after each of them." + (computed-file name + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils)) + (call-with-output-file #$output + (lambda (output) + (for-each (lambda (file) + (call-with-input-file file + (lambda (input) + (dump-port input output))) + (display #$delimiter output)) + '#$files))))))) + +(define (openssh-configuration-files config) + (let ((config (plain-file "config" (openssh-configuration->string config))) + (known-hosts (home-openssh-configuration-known-hosts config)) + (authorized-keys (file-join + "authorized_keys" + (home-openssh-configuration-authorized-keys config) + "\n"))) + `((".ssh/authorized_keys" ,authorized-keys) + ,@(if (unspecified? known-hosts) + '() + `((".ssh/known_hosts" + ,(file-join "known_hosts" known-hosts "\n")))) + (".ssh/config" ,config)))) + +(define openssh-activation + (with-imported-modules (source-module-closure + '((gnu build activation))) + #~(begin + (use-modules (gnu build activation)) + + ;; Make sure ~/.ssh is #o700. + (let* ((home (getenv "HOME")) + (dot-ssh (string-append home "/.ssh"))) + (mkdir-p/perms dot-ssh (getpw (getuid)) #o700))))) + +(define home-openssh-service-type + (service-type + (name 'home-openssh) + (extensions + (list (service-extension home-files-service-type + openssh-configuration-files) + (service-extension home-profile-service-type + (compose + list + home-openssh-configuration-openssh)) + (service-extension home-activation-service-type + (const openssh-activation)))) + (description "Configure the OpenSSH @acronym{SSH, secure shell} +client and add it to the user profile.") + (default-value (home-openssh-configuration)))) diff --git a/gnu/local.mk b/gnu/local.mk index d49af0d898..f3b08ffdab 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -85,6 +85,7 @@ GNU_SYSTEM_MODULES = \ %D%/home/services/fontutils.scm \ %D%/home/services/shells.scm \ %D%/home/services/shepherd.scm \ + %D%/home/services/ssh.scm \ %D%/home/services/mcron.scm \ %D%/home/services/utils.scm \ %D%/home/services/xdg.scm \ diff --git a/po/guix/POTFILES.in b/po/guix/POTFILES.in index 6b8bd92bb7..201e5dcc87 100644 --- a/po/guix/POTFILES.in +++ b/po/guix/POTFILES.in @@ -6,6 +6,7 @@ gnu/services.scm gnu/system.scm gnu/services/shepherd.scm gnu/home/services.scm +gnu/home/services/ssh.scm gnu/home/services/symlink-manager.scm gnu/system/file-systems.scm gnu/system/image.scm base-commit: 010426e2c34428d69573cdfef88239303edcab2d -- 2.36.1