nixos/sshd: add comment explaining different list option types

Signed-off-by: Christoph Heiss <christoph@c8h4.io>
author: Christoph Heiss <christoph@c8h4.io> 2023-10-28 20:13:26 +0200
committer: Christoph Heiss <christoph@c8h4.io> 2023-10-28 20:13:26 +0200
commit: cc8ba2162979b33eba280b8e20d4477871628c53 (patch)
tree: 560ee4eef4b144edcc882883102a57bce9abe5ca /nixos
parent: 4714845327dd4e972ee34cc4a8fa23c6b745e921 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix
index 35e5c921a0910..f54ce59174387 100644
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@@ -26,6 +26,12 @@ let
       base = pkgs.formats.keyValue {
         mkKeyValue = lib.generators.mkKeyValueDefault { inherit mkValueString; } " ";
       };
+      # OpenSSH is very inconsistent with options that can take multiple values.
+      # For some of them, they can simply appear multiple times and are appended, for others the
+      # values must be separated by whitespace or even commas.
+      # Consult either sshd_config(5) or, as last resort, the OpehSSH source for parsing
+      # the options at servconf.c:process_server_config_line_depth() to determine the right "mode"
+      # for each. But fortunaly this fact is documented for most of them in the manpage.
       commaSeparated = [ "Ciphers" "KexAlgorithms" "Macs" ];
       spaceSeparated = [ "AuthorizedKeysFile" "AllowGroups" "AllowUsers" "DenyGroups" "DenyUsers" ];
     in {
author	Christoph Heiss <christoph@c8h4.io>	2023-10-28 20:13:26 +0200
committer	Christoph Heiss <christoph@c8h4.io>	2023-10-28 20:13:26 +0200
commit	cc8ba2162979b33eba280b8e20d4477871628c53 (patch)
tree	560ee4eef4b144edcc882883102a57bce9abe5ca /nixos
parent	4714845327dd4e972ee34cc4a8fa23c6b745e921 (diff)