diff options
author | lassulus <git@lassul.us> | 2023-06-21 16:01:33 +0200 |
---|---|---|
committer | lassulus <git@lassul.us> | 2023-06-21 16:01:33 +0200 |
commit | a0c4427c0baa94603fa10c1248944e7837e72642 (patch) | |
tree | caa4053366d62b683e6f6e746e9df0317de88c80 /krebs/3modules/ssh.nix | |
parent | c6593fdb393a585e631b9824e2bb3857ba2f90c6 (diff) | |
parent | fdc364520238a38883d28bbfa05ac966e792ed8b (diff) |
Merge remote-tracking branch 'ni/flakify'
Diffstat (limited to 'krebs/3modules/ssh.nix')
-rw-r--r-- | krebs/3modules/ssh.nix | 109 |
1 files changed, 109 insertions, 0 deletions
diff --git a/krebs/3modules/ssh.nix b/krebs/3modules/ssh.nix new file mode 100644 index 000000000..58f3a3c10 --- /dev/null +++ b/krebs/3modules/ssh.nix @@ -0,0 +1,109 @@ +{ config, lib, ... }: +with lib; +let + cfg = config.krebs; + + out = { + options.krebs = api; + config = lib.mkIf cfg.enable imp; + }; + + api = { + zone-head-config = mkOption { + type = with types; attrsOf str; + description = '' + The zone configuration head which is being used to create the + zone files. The string for each key is pre-pended to the zone file. + ''; + # TODO: configure the default somewhere else, + # maybe use krebs.dns.providers + default = { + + # github.io -> 192.30.252.154 + "krebsco.de" = '' + $TTL 86400 + @ IN SOA dns19.ovh.net. tech.ovh.net. (2015052000 86400 3600 3600000 86400) + IN NS ns19.ovh.net. + IN NS dns19.ovh.net. + ''; + }; + }; + }; + + imp = lib.mkMerge [ + { + services.openssh.hostKeys = + let inherit (config.krebs.build.host.ssh) privkey; in + mkIf (privkey != null) [privkey]; + + services.openssh.knownHosts = + filterAttrs + (knownHostName: knownHost: + knownHost.publicKey != null && + knownHost.hostNames != [] + ) + (mapAttrs + (hostName: host: { + hostNames = + concatLists + (mapAttrsToList + (netName: net: + let + aliases = + concatLists [ + shortAliases + net.aliases + net.addrs + ]; + shortAliases = + optionals + (cfg.dns.search-domain != null) + (map (removeSuffix ".${cfg.dns.search-domain}") + (filter (hasSuffix ".${cfg.dns.search-domain}") + net.aliases)); + addPort = alias: + if net.ssh.port != 22 + then "[${alias}]:${toString net.ssh.port}" + else alias; + in + map addPort aliases + ) + host.nets); + publicKey = host.ssh.pubkey; + }) + (foldl' mergeAttrs {} [ + cfg.hosts + { + localhost = { + nets.local = { + addrs = [ "127.0.0.1" "::1" ]; + aliases = [ "localhost" ]; + ssh.port = 22; + }; + ssh.pubkey = config.krebs.build.host.ssh.pubkey; + }; + } + ])); + + programs.ssh.extraConfig = concatMapStrings + (net: '' + Host ${toString (net.aliases ++ net.addrs)} + Port ${toString net.ssh.port} + '') + (filter + (net: net.ssh.port != 22) + (concatMap (host: attrValues host.nets) + (mapAttrsToList + (_: host: recursiveUpdate host + (optionalAttrs (cfg.dns.search-domain != null && + hasAttr cfg.dns.search-domain host.nets) { + nets."" = host.nets.${cfg.dns.search-domain} // { + aliases = [host.name]; + addrs = []; + }; + })) + config.krebs.hosts))); + } + ]; + +in out |