Extend default value for services.openssh.settings.Macs in 23.05

h0m1 · June 2, 2023, 6:26pm

to enable my scanner to send data to a nixos-system via ssh, the list of macs and kexAlgorithms needs to be expanded. I would like to override the default value instead of replacing it. That worked in 22.11:

services.openssh= {
  enable = true;
  macs = options.services.openssh.macs.default ++ [ "hmac-sha1" ];

After the update to 23.05 the following error is displayed:

error: attribute 'default' missing

      at /etc/nixos/configuration.nix:39:18:

           38|           enable = true;
           39|           macs = options.services.openssh.macs.default ++ [ "hmac-sha1" ];
             |                  ^
           40|           extraConfig = ''

There is now a different option in 23.05: services.openssh.settings.Macs

Unfortunately, the test was not successful with that either.

error: attribute 'Macs' missing

       at /etc/nixos/configuration.nix:40:27:

           39|           #macs = options.services.openssh.macs.default ++ [ "hmac-sha1" ];
           40|           settings.Macs = options.services.openssh.settings.Macs.default ++ [ "hmac-sha1" ];
             |                           ^
           41|           extraConfig = ''
(use '--show-trace' to show detailed location information)

I would like to know why it is no longer working.

jtojnar · June 2, 2023, 7:13pm

Unlike the previous option, services.openssh.settings.Macs is not a top-level option but rather settings is an option of submodule type:

github.com

NixOS/nixpkgs/blob/06e9be9b88623f924339f8a9a0aebcbad826faaa/nixos/modules/services/networking/ssh/sshd.nix#L279-L286

    
      
          settings = mkOption {
            description = lib.mdDoc "Configuration for `sshd_config(5)`.";
            default = { };
            example = literalExpression ''{
              UseDns = true;
              PasswordAuthentication = false;
            }'';
            type = types.submodule ({name, ...}: {

As such, you will need to introspect the submodule if you want to access options inside it.

REPL is useful for playing around with it nix repl ~/Projects/nixpkgs:

nix-repl> n = nixos {}  

nix-repl> n.options.services.openssh.settings.type                                 
{ _type = "option-type"; check = «lambda @ /nix/store/rw26gr9dnnl2lm7whcshiz8x4yryqqql-source/lib/types.nix:750:17»; deprecationMessage = null; description = "attribute set of (atom (null, bool, int, float or string))"; descriptionClass = null; emptyValue = { ... }; functor = { ... }; getSubModules = [ ... ]; getSubOptions = «lambda @ /nix/store/rw26gr9dnnl2lm7whcshiz8x4yryqqql-source/lib/types.nix:757:25»; merge = «lambda @ /nix/store/rw26gr9dnnl2lm7whcshiz8x4yryqqql-source/lib/types.nix:751:17»; name = "submodule"; nestedTypes = { ... }; substSubModules = «lambda @ /nix/store/rw26gr9dnnl2lm7whcshiz8x4yryqqql-source/lib/types.nix:765:27»; typeMerge = «lambda @ /nix/store/rw26gr9dnnl2lm7whcshiz8x4yryqqql-source/lib/types.nix:79:25»; }

nix-repl> n.options.services.openssh.settings.type.getSubOptions []                
{ Ciphers = { ... }; GatewayPorts = { ... }; KbdInteractiveAuthentication = { ... }; KexAlgorithms = { ... }; LogLevel = { ... }; Macs = { ... }; PasswordAuthentication = { ... }; PermitRootLogin = { ... }; UseDns = { ... }; X11Forwarding = { ... }; _freeformOptions = { ... }; _module = { ... }; }

nix-repl> (n.options.services.openssh.settings.type.getSubOptions []).Macs.default
[ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-256-etm@openssh.com" "umac-128-etm@openssh.com" ]

h0m1 · June 2, 2023, 7:52pm

Many thanks for the explanation. That works for me.