ssh: Support knownHost public keys as strings

nixos/modules/services/networking/ssh/sshd.nix

@@ -18,9 +18,9 @@ let
   knownHosts = map (h: getAttr h cfg.knownHosts) (attrNames cfg.knownHosts);
 
   knownHostsFile = pkgs.writeText "ssh_known_hosts" (
-    flip concatMapStrings knownHosts (h:
+    flip concatMapStrings knownHosts (h: ''
-      "${concatStringsSep "," h.hostNames} ${readFile h.publicKeyFile}"
+      ${concatStringsSep "," h.hostNames} ${if h.publicKey != null then h.publicKey else readFile h.publicKeyFile}
-    )
+    '')
   );
 
   userOptions = {
@@ -218,7 +218,18 @@ in
               the host's ssh service.
             '';
           };
+          publicKey = mkOption {
+            default = null;
+            type = types.nullOr types.string;
+            description = ''
+              The public key data for the host. You can fetch a public key
+              from a running SSH server with the <command>ssh-keyscan</command>
+              command.
+            '';
+          };
           publicKeyFile = mkOption {
+            default = null;
+            type = types.nullOr types.unspecified;
             description = ''
               The path to the public key file for the host. The public
               key file is read at build time and saved in the Nix store.
@@ -367,7 +378,12 @@ in
       '';
 
     assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;
-                    message = "cannot enable X11 forwarding without setting xauth location";}];
+                    message = "cannot enable X11 forwarding without setting xauth location";}]
+      ++ flip mapAttrsToList cfg.knownHosts (name: data: {
+        assertion = (data.publicKey == null && data.publicKeyFile != null) ||
+                    (data.publicKey != null && data.publicKeyFile == null);
+        message = "knownHost ${name} must contain either a publicKey or publicKeyFile";
+      });
 
   };