How do I give a container ssh passthrough under nixos?

ShockWave-1 · April 1, 2025, 8:42am

Im trying to setup a nixos git(forgejo) container Ive gotten everything to work except ssh. This needs to be passed through to the host system although I got quite far, it still doesnt work.

Ive managed to bind the the container shell environment to the git account like so:

{ config, pkgs, ... }:
let
    userExists = config.users.users.git != null;

    gitSshShell = (if userExists then
      pkgs.writeShellScriptBin "git-ssh-shell" ''
	#!/usr/bin/env bash
	podman exec -it \
	--env SSH_ORIGINAL_SHELL="$SSH_ORIGINAL_SHELL" \
	forgejo-box \
	sh "$@"
      ''
      else
        null
      );
in {
	environment.systemPackages = [
	  gitSshShell
	];
	system.activationScripts."usermodSshShell" = {
	  text = ''
	    #!/usr/bin/env bash
	    GITSHELLPATH=/run/current-system/sw/bin/git-ssh-shell
	    usermod -s "$GITSHELLPATH" git
	  '';
	};

I know this works because if I do:
sudo machinectl shell git@
it produces the container shell environment.

the one thing I still need to do is to get ssh to handle the keys like so:
AuthorizedKeysCommand podman exec -it forgejo-box /usr/local/bin/forgejo \ --config /var/lib/gitea/custom/conf/app.ini keys -e git -u [user] -t [type] -k [key]

but im unclear on how to do this from what ive seen is to match to the user using an sshd config but I dont see this functionality under nixos. Home manager does have this functionality but it doesnt seem to work when I try.

written normally as an sshd_config it should look something like this:

Match User git
  AuthorizedKeysCommand /usr/bin/podman exec --interactive forgejo-server /usr/local/bin/forgejo --config /var/lib/gitea/custom/conf/app.ini keys -e git -u %u -t %t -k %k
  AuthorizedKeysCommandUser git
Match all

Any help would be appreciated,

Kind Regards.

ShockWave-1 · April 1, 2025, 12:49pm

thanks to a bit of learning and this previous post I was able to get a bit further.

I now have the bit of sshd configuration in a separate folder in /etc/ssh using environment.etc and ssh can refer to it but when debugging it now gives this error:

 /run/current-system/sw/bin/sshd -ddd -D -f /run/current-system/etc/ssh/sshd_config.d/60-forgejo.conf
debug2: load_server_config: filename /run/current-system/etc/ssh/sshd_config.d/60-forgejo.conf
debug2: load_server_config: done config len = 222
debug2: parse_server_config_depth: config /run/current-system/etc/ssh/sshd_config.d/60-forgejo.conf len 222
debug3: checking syntax for 'Match User git'
debug3: checking syntax for 'Match all'
debug1: sshd version OpenSSH_9.9, OpenSSL 3.3.2 3 Sep 2024
debug1: Unable to load host key: /etc/ssh/ssh_host_rsa_key
debug1: Unable to load host key: /etc/ssh/ssh_host_ecdsa_key
debug1: Unable to load host key: /etc/ssh/ssh_host_ed25519_key
sshd: no hostkeys available -- exiting.

which is a bit strange since my host does have ssh keys of 2 of those types and under those file names.
Unless its referring to the container keys which indeed dont exist. Im not sure though.