From 4205c91609d6309ebbcddfa675fc63937718c14b Mon Sep 17 00:00:00 2001
From: Robert Helgesson <robert@rycee.net>
Date: Fri, 23 Mar 2018 19:32:02 +0100
Subject: [PATCH] ssh: move options to end of configuration file

This is needed to support overriding these options inside match
blocks. A new option `programs.ssh.extraOptionOverrides` has been
added to allow global overrides.
---
 modules/misc/news.nix    | 18 ++++++++++++++++++
 modules/programs/ssh.nix | 35 ++++++++++++++++++++++++-----------
 2 files changed, 42 insertions(+), 11 deletions(-)

diff --git a/modules/misc/news.nix b/modules/misc/news.nix
index a0718b190..e903669ed 100644
--- a/modules/misc/news.nix
+++ b/modules/misc/news.nix
@@ -587,6 +587,24 @@ in
           A new module is available: 'programs.fzf'.
         '';
       }
+
+      {
+        time = "2018-03-25T06:49:57+00:00";
+        condition = with config.programs.ssh; enable && matchBlocks != {};
+        message = ''
+          Options set through the 'programs.ssh' module are now placed
+          at the end of the SSH configuration file. This was done to
+          make it possible to override global options such as
+          'ForwardAgent' or 'Compression' inside a host match block.
+
+          If you truly need to override an SSH option across all match
+          blocks then the new option
+
+              programs.ssh.extraOptionOverrides
+
+          can be used.
+        '';
+      }
     ];
   };
 }
diff --git a/modules/programs/ssh.nix b/modules/programs/ssh.nix
index 4c68ebf8b..c62f37eb6 100644
--- a/modules/programs/ssh.nix
+++ b/modules/programs/ssh.nix
@@ -220,9 +220,18 @@ in
       '';
     };
 
+    extraOptionOverrides = mkOption {
+      type = types.attrsOf types.str;
+      default = {};
+      description = ''
+        Extra SSH configuration options that take precedence over any
+        host specific configuration.
+      '';
+    };
+
     matchBlocks = mkOption {
       type = types.loaOf matchBlockModule;
-      default = [];
+      default = {};
       example = literalExample ''
         {
           "john.example.com" = {
@@ -248,20 +257,24 @@ in
 
   config = mkIf cfg.enable {
     home.file.".ssh/config".text = ''
-      ForwardAgent ${yn cfg.forwardAgent}
-      Compression ${yn cfg.compression}
-      ServerAliveInterval ${toString cfg.serverAliveInterval}
-      HashKnownHosts ${yn cfg.hashKnownHosts}
-      UserKnownHostsFile ${cfg.userKnownHostsFile}
-      ControlMaster ${cfg.controlMaster}
-      ControlPath ${cfg.controlPath}
-      ControlPersist ${cfg.controlPersist}
-
-      ${cfg.extraConfig}
+      ${concatStringsSep "\n" (
+        mapAttrsToList (n: v: "${n} ${v}") cfg.extraOptionOverrides)}
 
       ${concatStringsSep "\n\n" (
         map matchBlockStr (
         builtins.attrValues cfg.matchBlocks))}
+
+      Host *
+        ForwardAgent ${yn cfg.forwardAgent}
+        Compression ${yn cfg.compression}
+        ServerAliveInterval ${toString cfg.serverAliveInterval}
+        HashKnownHosts ${yn cfg.hashKnownHosts}
+        UserKnownHostsFile ${cfg.userKnownHostsFile}
+        ControlMaster ${cfg.controlMaster}
+        ControlPath ${cfg.controlPath}
+        ControlPersist ${cfg.controlPersist}
+
+        ${replaceStrings ["\n"] ["\n  "] cfg.extraConfig}
     '';
   };
 }