From 2d963854ae2499193c0c72fd67435fee34d3e4fd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Na=C3=AFm=20Favier?= <n@monade.li>
Date: Sat, 27 May 2023 14:11:50 +0200
Subject: [PATCH] ssh: don't install a client by default (#4016)

Make use of the recently added nullable `mkPackageOption` feature
to disable installing an SSH client by default: most people should use
the client provided by their system.
---
 modules/misc/news.nix                                     | 4 ++--
 modules/programs/ssh.nix                                  | 8 ++++++--
 tests/modules/programs/ssh/default-config.nix             | 2 --
 .../ssh/forwards-dynamic-bind-path-with-port-asserts.nix  | 2 --
 .../ssh/forwards-dynamic-valid-bind-no-asserts.nix        | 2 --
 .../ssh/forwards-local-bind-path-with-port-asserts.nix    | 2 --
 .../ssh/forwards-local-host-path-with-port-asserts.nix    | 2 --
 .../ssh/forwards-remote-bind-path-with-port-asserts.nix   | 2 --
 .../ssh/forwards-remote-host-path-with-port-asserts.nix   | 2 --
 tests/modules/programs/ssh/includes.nix                   | 2 --
 tests/modules/programs/ssh/match-blocks-attrs.nix         | 2 --
 .../modules/programs/ssh/match-blocks-match-and-hosts.nix | 2 --
 12 files changed, 8 insertions(+), 24 deletions(-)

diff --git a/modules/misc/news.nix b/modules/misc/news.nix
index 9c59b300d..a9d0da4ff 100644
--- a/modules/misc/news.nix
+++ b/modules/misc/news.nix
@@ -1028,9 +1028,9 @@ in
         time = "2023-05-13T14:34:21+00:00";
         condition = config.programs.ssh.enable;
         message = ''
-          The module 'programs.ssh' now installs an SSH client. The installed
+          The module 'programs.ssh' can now install an SSH client. The installed
           client is controlled by the 'programs.ssh.package` option, which
-          defaults to 'pkgs.openssh'.
+          defaults to 'null'.
         '';
       }
       {
diff --git a/modules/programs/ssh.nix b/modules/programs/ssh.nix
index 7469cac53..0d616bdfd 100644
--- a/modules/programs/ssh.nix
+++ b/modules/programs/ssh.nix
@@ -361,7 +361,11 @@ in
   options.programs.ssh = {
     enable = mkEnableOption "SSH client configuration";
 
-    package = mkPackageOption pkgs "openssh" { };
+    package = mkPackageOption pkgs "openssh" {
+      nullable = true;
+      default = null;
+      extraDescription = "By default, the client provided by your system is used.";
+    };
 
     forwardAgent = mkOption {
       default = false;
@@ -527,7 +531,7 @@ in
       }
     ];
 
-    home.packages = [ cfg.package ];
+    home.packages = optional (cfg.package != null) cfg.package;
 
     home.file.".ssh/config".text =
       let
diff --git a/tests/modules/programs/ssh/default-config.nix b/tests/modules/programs/ssh/default-config.nix
index c059d021f..6d7e5508a 100644
--- a/tests/modules/programs/ssh/default-config.nix
+++ b/tests/modules/programs/ssh/default-config.nix
@@ -6,8 +6,6 @@ with lib;
   config = {
     programs.ssh = { enable = true; };
 
-    test.stubs.openssh = { };
-
     home.file.assertions.text = builtins.toJSON
       (map (a: a.message) (filter (a: !a.assertion) config.assertions));
 
diff --git a/tests/modules/programs/ssh/forwards-dynamic-bind-path-with-port-asserts.nix b/tests/modules/programs/ssh/forwards-dynamic-bind-path-with-port-asserts.nix
index 1be55aef0..e841b5bcd 100644
--- a/tests/modules/programs/ssh/forwards-dynamic-bind-path-with-port-asserts.nix
+++ b/tests/modules/programs/ssh/forwards-dynamic-bind-path-with-port-asserts.nix
@@ -17,8 +17,6 @@ with lib;
       };
     };
 
-    test.stubs.openssh = { };
-
     test.asserts.assertions.expected = [ "Forwarded paths cannot have ports." ];
   };
 }
diff --git a/tests/modules/programs/ssh/forwards-dynamic-valid-bind-no-asserts.nix b/tests/modules/programs/ssh/forwards-dynamic-valid-bind-no-asserts.nix
index 8a371402f..d0c3a7322 100644
--- a/tests/modules/programs/ssh/forwards-dynamic-valid-bind-no-asserts.nix
+++ b/tests/modules/programs/ssh/forwards-dynamic-valid-bind-no-asserts.nix
@@ -27,8 +27,6 @@ with lib;
     home.file.result.text = builtins.toJSON
       (map (a: a.message) (filter (a: !a.assertion) config.assertions));
 
-    test.stubs.openssh = { };
-
     nmt.script = ''
       assertFileExists home-files/.ssh/config
       assertFileContent \
diff --git a/tests/modules/programs/ssh/forwards-local-bind-path-with-port-asserts.nix b/tests/modules/programs/ssh/forwards-local-bind-path-with-port-asserts.nix
index 2b03b56e0..e7ac454e8 100644
--- a/tests/modules/programs/ssh/forwards-local-bind-path-with-port-asserts.nix
+++ b/tests/modules/programs/ssh/forwards-local-bind-path-with-port-asserts.nix
@@ -21,8 +21,6 @@ with lib;
       };
     };
 
-    test.stubs.openssh = { };
-
     test.asserts.assertions.expected = [ "Forwarded paths cannot have ports." ];
   };
 }
diff --git a/tests/modules/programs/ssh/forwards-local-host-path-with-port-asserts.nix b/tests/modules/programs/ssh/forwards-local-host-path-with-port-asserts.nix
index aa72e3527..890459c8a 100644
--- a/tests/modules/programs/ssh/forwards-local-host-path-with-port-asserts.nix
+++ b/tests/modules/programs/ssh/forwards-local-host-path-with-port-asserts.nix
@@ -21,8 +21,6 @@ with lib;
       };
     };
 
-    test.stubs.openssh = { };
-
     test.asserts.assertions.expected = [ "Forwarded paths cannot have ports." ];
   };
 }
diff --git a/tests/modules/programs/ssh/forwards-remote-bind-path-with-port-asserts.nix b/tests/modules/programs/ssh/forwards-remote-bind-path-with-port-asserts.nix
index e4e83390f..ece7d7953 100644
--- a/tests/modules/programs/ssh/forwards-remote-bind-path-with-port-asserts.nix
+++ b/tests/modules/programs/ssh/forwards-remote-bind-path-with-port-asserts.nix
@@ -21,8 +21,6 @@ with lib;
       };
     };
 
-    test.stubs.openssh = { };
-
     test.asserts.assertions.expected = [ "Forwarded paths cannot have ports." ];
   };
 }
diff --git a/tests/modules/programs/ssh/forwards-remote-host-path-with-port-asserts.nix b/tests/modules/programs/ssh/forwards-remote-host-path-with-port-asserts.nix
index e4332346b..b1228f4ef 100644
--- a/tests/modules/programs/ssh/forwards-remote-host-path-with-port-asserts.nix
+++ b/tests/modules/programs/ssh/forwards-remote-host-path-with-port-asserts.nix
@@ -21,8 +21,6 @@ with lib;
       };
     };
 
-    test.stubs.openssh = { };
-
     test.asserts.assertions.expected = [ "Forwarded paths cannot have ports." ];
   };
 }
diff --git a/tests/modules/programs/ssh/includes.nix b/tests/modules/programs/ssh/includes.nix
index def9cf96b..12e2c6df8 100644
--- a/tests/modules/programs/ssh/includes.nix
+++ b/tests/modules/programs/ssh/includes.nix
@@ -7,8 +7,6 @@
       includes = [ "config.d/*" "other/dir" ];
     };
 
-    test.stubs.openssh = { };
-
     nmt.script = ''
       assertFileExists home-files/.ssh/config
       assertFileContains home-files/.ssh/config "Include config.d/* other/dir"
diff --git a/tests/modules/programs/ssh/match-blocks-attrs.nix b/tests/modules/programs/ssh/match-blocks-attrs.nix
index 1b32943a3..d8584e3a0 100644
--- a/tests/modules/programs/ssh/match-blocks-attrs.nix
+++ b/tests/modules/programs/ssh/match-blocks-attrs.nix
@@ -51,8 +51,6 @@ with lib;
     home.file.assertions.text = builtins.toJSON
       (map (a: a.message) (filter (a: !a.assertion) config.assertions));
 
-    test.stubs.openssh = { };
-
     nmt.script = ''
       assertFileExists home-files/.ssh/config
       assertFileContent \
diff --git a/tests/modules/programs/ssh/match-blocks-match-and-hosts.nix b/tests/modules/programs/ssh/match-blocks-match-and-hosts.nix
index 72ae72ea3..aa1e40d05 100644
--- a/tests/modules/programs/ssh/match-blocks-match-and-hosts.nix
+++ b/tests/modules/programs/ssh/match-blocks-match-and-hosts.nix
@@ -21,8 +21,6 @@ with lib;
     home.file.assertions.text = builtins.toJSON
       (map (a: a.message) (filter (a: !a.assertion) config.assertions));
 
-    test.stubs.openssh = { };
-
     nmt.script = ''
       assertFileExists home-files/.ssh/config
       assertFileContent \