profiles/common-ssh: Configure GlobalKnownHosts manually so we avoid import from derivation

profiles/common-ssh/default.nix

@@ -2,13 +2,33 @@
 
 with lib;
 
-{
+let
+
+  cfg = config.profiles.clerie.common-ssh;
+
+  knownHostsFiles = [
+    "/etc/ssh/ssh_known_hosts"
+  ] ++ cfg.knownHostsFiles;
+
+in {
 
   options.profiles.clerie.common-ssh = {
     enable = mkEnableOption "Common ssh config";
+    knownHostsFiles = mkOption {
+      type = with types; listOf str;
+      default = [];
+      description = "List of paths to ssh known hosts files";
+    };
   };
 
-  config = mkIf config.profiles.clerie.common-ssh.enable {
+  config = mkIf cfg.enable {
+
+    assertions = [
+      {
+        assertion = config.programs.ssh.knownHostsFiles == [];
+        message = "profiles.clerie.common-ssh sets a custom set of global known hosts file that is incompatible with the settings from the official NixOS module, use profiles.clerie.common-ssh.knownHostsFiles instead";
+      }
+    ];
 
     services.openssh.enable = true;
     services.openssh.settings = {
@@ -21,11 +41,16 @@ with lib;
       { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
     ];
 
-    programs.ssh.knownHostsFiles = [
+    profiles.clerie.common-ssh.knownHostsFiles = [
       (pkgs.clerie-ssh-known-hosts + "/known_hosts")
       (pkgs.fem-ssh-known-hosts + "/known_hosts")
       (pkgs.well-known-ssh-known-hosts + "/known_hosts")
     ];
 
+    programs.ssh.extraConfig = ''
+      Host *
+      GlobalKnownHostsFile ${builtins.concatStringsSep " " knownHostsFiles}
+    '';
+
   };
 }

profiles/hetzner-storage-box-client/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 
 with lib;
 
@@ -10,9 +10,9 @@ with lib;
 
   config = mkIf config.profiles.clerie.hetzner-storage-box-client.enable {
 
-   programs.ssh.knownHostsFiles = [
-     ./hetzner-storage-box-ssh_known_hosts
-   ];
+    profiles.clerie.common-ssh.knownHostsFiles = [
+      (pkgs.copyPathToStore ./hetzner-storage-box-ssh_known_hosts)
+    ];
 
  };