Merge pull request #187 from kalbasit/known-hosts-only-if-set

programs.ssh: write ssh known_hosts only if there are any set

1 files changed, 7 insertions, 6 deletions

diff --git a/modules/programs/ssh/default.nix b/modules/programs/ssh/default.nix
index 87978e6..5fc7415 100644
--- a/modules/programs/ssh/default.nix
+++ b/modules/programs/ssh/default.nix
@@ -151,12 +151,13 @@ in
     services.openssh.authorizedKeysFiles = [ "%h/.ssh/authorized_keys" "/etc/ssh/authorized_keys.d/%u" ];
 
     environment.etc = authKeysFiles //
-      { "ssh/ssh_known_hosts".text = (flip (concatMapStringsSep "\n") knownHosts
-        (h: assert h.hostNames != [];
-          concatStringsSep "," h.hostNames + " "
-          + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
-        )) + "\n";
-
+      { "ssh/ssh_known_hosts" = mkIf (builtins.length knownHosts > 0) {
+          text = (flip (concatMapStringsSep "\n") knownHosts
+            (h: assert h.hostNames != [];
+              concatStringsSep "," h.hostNames + " "
+              + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
+            )) + "\n";
+        };
         "ssh/sshd_config.d/101-authorized-keys.conf" = {
           text = "AuthorizedKeysFile ${toString config.services.openssh.authorizedKeysFiles}\n";
           # Allows us to automatically migrate from using a file to a symlink