summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authortv <tv@shackspace.de>2015-09-27 15:24:41 +0200
committertv <tv@shackspace.de>2015-09-27 15:24:41 +0200
commitdc5299a07126e73b2040213cc1610f7368604213 (patch)
treed00905b474850ad934406ff9b0b5c34442f8366b
parentedd973f7735e7a7e9964f0ac7d75ab4ca20b80d9 (diff)
krebs: add hosts with ssh.pubkey to known hosts
-rw-r--r--krebs/3modules/default.nix34
-rw-r--r--krebs/4lib/types.nix34
2 files changed, 66 insertions, 2 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 78834d8d5..1501a9d49 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -103,6 +103,32 @@ let
([cfg.zone-head-config] ++ combined-hosts) ;
combined-hosts = (mapAttrsToList (name: value: value.extraZones) cfg.hosts );
in lib.mapAttrs' (name: value: nameValuePair (("zones/" + name)) ({ text=value; })) all-zones;
+
+ programs.ssh.knownHosts =
+ mapAttrs
+ (name: host: {
+ hostNames =
+ concatLists
+ (mapAttrsToList
+ (net-name: net:
+ let
+ aliases = shorts ++ longs;
+ longs = net.aliases;
+ shorts =
+ map (removeSuffix ".${cfg.search-domain}")
+ (filter (hasSuffix ".${cfg.search-domain}")
+ longs);
+ add-port = a:
+ if net.ssh.port != null
+ then "[${a}]:${toString net.ssh.port}"
+ else a;
+ in
+ aliases ++ map add-port net.addrs)
+ host.nets);
+
+ publicKey = host.ssh.pubkey;
+ })
+ (filterAttrs (_: host: host.ssh.pubkey != null) cfg.hosts);
}
];
@@ -464,6 +490,7 @@ let
"cgit.cd.viljetic.de"
"cd.krebsco.de"
];
+ ssh.port = 11423;
};
retiolum = {
via = internet;
@@ -490,6 +517,7 @@ let
'';
};
};
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOd/HqZIO9Trn3eycl23GZAz21HQCISaVNfNyaLSQvJ6";
};
mkdir = rec {
cores = 1;
@@ -522,6 +550,8 @@ let
'';
};
};
+ ssh.privkey = <secrets/ssh.id_ed25519>;
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuShEqU0Cdm7KCaMD5x1D6mgj+cr7qoqbzFJDKoBbbw";
};
nomic = {
cores = 2;
@@ -547,6 +577,7 @@ let
};
};
secure = true;
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILn7C3LxAs9kUynENdRNgQs4qjrhNDfXzlHTpVJt6e09";
};
rmdir = rec {
cores = 1;
@@ -579,6 +610,7 @@ let
'';
};
};
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFGniQyABsMNSFTKAxJgxZlLrWfexUt+vhZ3p2hpBl4J";
};
wu = {
cores = 4;
@@ -604,6 +636,7 @@ let
};
};
secure = true;
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcJvu8JDVzObLUtlAQg9qVugthKSfitwCljuJ5liyHa";
};
xu = {
cores = 4;
@@ -629,6 +662,7 @@ let
};
};
secure = true;
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID554niVFWomJjuSuQoiCdMUYrCFPpPzQuaoXXYYDxlw";
};
};
users = addNames {
diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix
index dbffdf850..a7df92084 100644
--- a/krebs/4lib/types.nix
+++ b/krebs/4lib/types.nix
@@ -1,11 +1,12 @@
{ lib, ... }:
+with builtins;
with lib;
with types;
types // rec {
- host = submodule {
+ host = submodule ({ config, ... }: {
options = {
name = mkOption {
type = label;
@@ -46,8 +47,25 @@ types // rec {
TODO define minimum requirements for secure hosts
'';
};
+
+ ssh.pubkey = mkOption {
+ type = nullOr str;
+ default = null;
+ apply = x:
+ if x != null
+ then x
+ else trace "The option `krebs.hosts.${config.name}.ssh.pubkey' is unused." null;
+ };
+ ssh.privkey = mkOption {
+ type = either path str;
+ apply = x: {
+ path = toString x;
+ string = x;
+ }.${typeOf x};
+ };
+
};
- };
+ });
net = submodule ({ config, ... }: {
options = {
@@ -71,6 +89,18 @@ types // rec {
aliases = mkOption {
# TODO nonEmptyListOf hostname
type = listOf hostname;
+ default = [];
+ };
+ ssh = mkOption {
+ type = submodule {
+ options = {
+ port = mkOption {
+ type = nullOr int;
+ default = null;
+ };
+ };
+ };
+ default = {};
};
tinc = mkOption {
type = let net-config = config; in nullOr (submodule ({ config, ... }: {