summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authormakefu <github@syntax-fehler.de>2023-06-10 14:07:47 +0200
committertv <tv@krebsco.de>2023-06-21 14:47:04 +0200
commitfdc364520238a38883d28bbfa05ac966e792ed8b (patch)
treecf89afd12d1872ad44607e68b5a7fae0256aae2e
parent5b2ceb1f1d6809578b77db6527dde2afaee8ba54 (diff)
krebs module: pull out ssh logic from base module
-rw-r--r--krebs/3modules/default.nix1
-rw-r--r--krebs/3modules/krebs.nix111
-rw-r--r--krebs/3modules/ssh.nix109
3 files changed, 114 insertions, 107 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index e1fa10ada..28ce09941 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -45,6 +45,7 @@
./secret.nix
./setuid.nix
./shadow.nix
+ ./ssh.nix
./sitemap.nix
./ssl.nix
./sync-containers.nix
diff --git a/krebs/3modules/krebs.nix b/krebs/3modules/krebs.nix
index 9d509275e..ce63135ec 100644
--- a/krebs/3modules/krebs.nix
+++ b/krebs/3modules/krebs.nix
@@ -2,110 +2,7 @@
with lib;
let
cfg = config.krebs;
-
- out = {
- options.krebs = api;
- config = lib.mkIf cfg.enable imp;
- };
-
- api = {
- enable = mkEnableOption "krebs";
-
- zone-head-config = mkOption {
- type = with types; attrsOf str;
- description = ''
- The zone configuration head which is being used to create the
- zone files. The string for each key is pre-pended to the zone file.
- '';
- # TODO: configure the default somewhere else,
- # maybe use krebs.dns.providers
- default = {
-
- # github.io -> 192.30.252.154
- "krebsco.de" = ''
- $TTL 86400
- @ IN SOA dns19.ovh.net. tech.ovh.net. (2015052000 86400 3600 3600000 86400)
- IN NS ns19.ovh.net.
- IN NS dns19.ovh.net.
- '';
- };
- };
- };
-
- imp = lib.mkMerge [
- {
- services.openssh.hostKeys =
- let inherit (config.krebs.build.host.ssh) privkey; in
- mkIf (privkey != null) [privkey];
-
- services.openssh.knownHosts =
- filterAttrs
- (knownHostName: knownHost:
- knownHost.publicKey != null &&
- knownHost.hostNames != []
- )
- (mapAttrs
- (hostName: host: {
- hostNames =
- concatLists
- (mapAttrsToList
- (netName: net:
- let
- aliases =
- concatLists [
- shortAliases
- net.aliases
- net.addrs
- ];
- shortAliases =
- optionals
- (cfg.dns.search-domain != null)
- (map (removeSuffix ".${cfg.dns.search-domain}")
- (filter (hasSuffix ".${cfg.dns.search-domain}")
- net.aliases));
- addPort = alias:
- if net.ssh.port != 22
- then "[${alias}]:${toString net.ssh.port}"
- else alias;
- in
- map addPort aliases
- )
- host.nets);
- publicKey = host.ssh.pubkey;
- })
- (foldl' mergeAttrs {} [
- cfg.hosts
- {
- localhost = {
- nets.local = {
- addrs = [ "127.0.0.1" "::1" ];
- aliases = [ "localhost" ];
- ssh.port = 22;
- };
- ssh.pubkey = config.krebs.build.host.ssh.pubkey;
- };
- }
- ]));
-
- programs.ssh.extraConfig = concatMapStrings
- (net: ''
- Host ${toString (net.aliases ++ net.addrs)}
- Port ${toString net.ssh.port}
- '')
- (filter
- (net: net.ssh.port != 22)
- (concatMap (host: attrValues host.nets)
- (mapAttrsToList
- (_: host: recursiveUpdate host
- (optionalAttrs (cfg.dns.search-domain != null &&
- hasAttr cfg.dns.search-domain host.nets) {
- nets."" = host.nets.${cfg.dns.search-domain} // {
- aliases = [host.name];
- addrs = [];
- };
- }))
- config.krebs.hosts)));
- }
- ];
-
-in out
+in {
+ options.krebs.enable = mkEnableOption "krebs";
+ config = lib.mkIf config.krebs.enable {};
+}
diff --git a/krebs/3modules/ssh.nix b/krebs/3modules/ssh.nix
new file mode 100644
index 000000000..58f3a3c10
--- /dev/null
+++ b/krebs/3modules/ssh.nix
@@ -0,0 +1,109 @@
+{ config, lib, ... }:
+with lib;
+let
+ cfg = config.krebs;
+
+ out = {
+ options.krebs = api;
+ config = lib.mkIf cfg.enable imp;
+ };
+
+ api = {
+ zone-head-config = mkOption {
+ type = with types; attrsOf str;
+ description = ''
+ The zone configuration head which is being used to create the
+ zone files. The string for each key is pre-pended to the zone file.
+ '';
+ # TODO: configure the default somewhere else,
+ # maybe use krebs.dns.providers
+ default = {
+
+ # github.io -> 192.30.252.154
+ "krebsco.de" = ''
+ $TTL 86400
+ @ IN SOA dns19.ovh.net. tech.ovh.net. (2015052000 86400 3600 3600000 86400)
+ IN NS ns19.ovh.net.
+ IN NS dns19.ovh.net.
+ '';
+ };
+ };
+ };
+
+ imp = lib.mkMerge [
+ {
+ services.openssh.hostKeys =
+ let inherit (config.krebs.build.host.ssh) privkey; in
+ mkIf (privkey != null) [privkey];
+
+ services.openssh.knownHosts =
+ filterAttrs
+ (knownHostName: knownHost:
+ knownHost.publicKey != null &&
+ knownHost.hostNames != []
+ )
+ (mapAttrs
+ (hostName: host: {
+ hostNames =
+ concatLists
+ (mapAttrsToList
+ (netName: net:
+ let
+ aliases =
+ concatLists [
+ shortAliases
+ net.aliases
+ net.addrs
+ ];
+ shortAliases =
+ optionals
+ (cfg.dns.search-domain != null)
+ (map (removeSuffix ".${cfg.dns.search-domain}")
+ (filter (hasSuffix ".${cfg.dns.search-domain}")
+ net.aliases));
+ addPort = alias:
+ if net.ssh.port != 22
+ then "[${alias}]:${toString net.ssh.port}"
+ else alias;
+ in
+ map addPort aliases
+ )
+ host.nets);
+ publicKey = host.ssh.pubkey;
+ })
+ (foldl' mergeAttrs {} [
+ cfg.hosts
+ {
+ localhost = {
+ nets.local = {
+ addrs = [ "127.0.0.1" "::1" ];
+ aliases = [ "localhost" ];
+ ssh.port = 22;
+ };
+ ssh.pubkey = config.krebs.build.host.ssh.pubkey;
+ };
+ }
+ ]));
+
+ programs.ssh.extraConfig = concatMapStrings
+ (net: ''
+ Host ${toString (net.aliases ++ net.addrs)}
+ Port ${toString net.ssh.port}
+ '')
+ (filter
+ (net: net.ssh.port != 22)
+ (concatMap (host: attrValues host.nets)
+ (mapAttrsToList
+ (_: host: recursiveUpdate host
+ (optionalAttrs (cfg.dns.search-domain != null &&
+ hasAttr cfg.dns.search-domain host.nets) {
+ nets."" = host.nets.${cfg.dns.search-domain} // {
+ aliases = [host.name];
+ addrs = [];
+ };
+ }))
+ config.krebs.hosts)));
+ }
+ ];
+
+in out