7 files changed, 35 insertions, 40 deletions

diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index edfbde9b..ea189470 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -138,6 +138,22 @@ let
         mkIf (privkey != null) (mkForce [privkey]);
 
       services.openssh.knownHosts =
+        # GitHub's IPv4 address range is 192.30.252.0/22
+        # Refs https://help.github.com/articles/what-ip-addresses-does-github-use-that-i-should-whitelist/
+        # 192.30.252.0/22 = 192.30.252.0-192.30.255.255 (1024 addresses)
+        # Because line length is limited by OPENSSH_LINE_MAX (= 8192),
+        # we split each /24 into its own entry.
+        listToAttrs (map
+          (c: {
+            name = "github${toString c}";
+            value = {
+              hostNames = ["github.com"] ++
+                map (d: "192.30.${toString c}.${toString d}") (range 0 255);
+              publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==";
+            };
+          })
+          (range 252 255))
+        //
         mapAttrs
           (name: host: {
             hostNames =
diff --git a/krebs/3modules/github-hosts-sync.nix b/krebs/3modules/github-hosts-sync.nix
index f44fe3ad..2a1df9e0 100644
--- a/krebs/3modules/github-hosts-sync.nix
+++ b/krebs/3modules/github-hosts-sync.nix
@@ -1,7 +1,7 @@
 { config, lib, pkgs, ... }:
 
 with builtins;
-with lib;
+with import ../4lib { inherit lib; };
 let
   cfg = config.krebs.github-hosts-sync;
 
@@ -21,7 +21,7 @@ let
       default = "/var/lib/github-hosts-sync";
     };
     ssh-identity-file = mkOption {
-      type = types.str; # TODO must be named *.ssh.{id_rsa,id_ed25519}
+      type = types.suffixed-str [".ssh.id_ed25519" ".ssh.id_rsa"];
       default = toString <secrets/github-hosts-sync.ssh.id_rsa>;
     };
   };
@@ -41,27 +41,11 @@ let
         ExecStartPre = pkgs.writeScript "github-hosts-sync-init" ''
           #! /bin/sh
           set -euf
-
-          ssh_identity_file_target=$(
-            case ${cfg.ssh-identity-file} in
-              *.ssh.id_rsa|*.ssh.id_ed25519) echo ${cfg.dataDir}/.ssh/id_rsa;;
-              *.ssh.id_ed25519) echo ${cfg.dataDir}/.ssh/id_ed25519;;
-              *)
-                echo "bad identity file name: ${cfg.ssh-identity-file}" >&2
-                exit 1
-            esac
-          )
-
-          mkdir -p ${cfg.dataDir}
-          chown ${user.name}: ${cfg.dataDir}
-
-          install \
-            -o ${user.name} \
-            -m 0400 \
+          install -m 0711 -o ${user.name} -d ${cfg.dataDir}
+          install -m 0700 -o ${user.name} -d ${cfg.dataDir}/.ssh
+          install -m 0400 -o ${user.name} \
             ${cfg.ssh-identity-file} \
-            "$ssh_identity_file_target"
-
-          ln -snf ${pkgs.github-known_hosts} ${cfg.dataDir}/.ssh/known_hosts
+            ${cfg.dataDir}/.ssh/${fileExtension cfg.ssh-identity-file}
         '';
         ExecStart = "${pkgs.github-hosts-sync}/bin/github-hosts-sync";
       };
@@ -77,5 +61,8 @@ let
     name = "github-hosts-sync";
     uid = 3220554646; # genid github-hosts-sync
   };
-in
-out
+
+  # TODO move to lib?
+  fileExtension = s: last (splitString "." s);
+
+in out
diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix
index 039f803e..b3d2c8b7 100644
--- a/krebs/4lib/types.nix
+++ b/krebs/4lib/types.nix
@@ -147,6 +147,13 @@ types // rec {
     merge = mergeOneOption;
   };
 
+  suffixed-str = suffs:
+    mkOptionType {
+      name = "string suffixed by ${concatStringsSep ", " suffs}";
+      check = x: isString x && any (flip hasSuffix x) suffs;
+      merge = mergeOneOption;
+    };
+
   user = submodule {
     options = {
       mail = mkOption {
diff --git a/krebs/5pkgs/default.nix b/krebs/5pkgs/default.nix
index 616992b9..c48c3dee 100644
--- a/krebs/5pkgs/default.nix
+++ b/krebs/5pkgs/default.nix
@@ -13,7 +13,6 @@ rec {
   genid = callPackage ./genid {};
   get = callPackage ./get {};
   github-hosts-sync = callPackage ./github-hosts-sync {};
-  github-known_hosts = callPackage ./github-known_hosts {};
   hashPassword = callPackage ./hashPassword {};
   jq = callPackage ./jq {};
   krebszones = callPackage ./krebszones {};
diff --git a/krebs/5pkgs/github-hosts-sync/default.nix b/krebs/5pkgs/github-hosts-sync/default.nix
index d69b2b12..b9dcfa9b 100644
--- a/krebs/5pkgs/github-hosts-sync/default.nix
+++ b/krebs/5pkgs/github-hosts-sync/default.nix
@@ -16,7 +16,7 @@ stdenv.mkDerivation {
 
   installPhase =
     let
-      ca-bundle = "${pkgs.cacert}/etc/ca-bundle.crt";
+      ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
       path = stdenv.lib.makeSearchPath "bin" (with pkgs; [
         coreutils
         findutils
diff --git a/krebs/5pkgs/github-known_hosts/default.nix b/krebs/5pkgs/github-known_hosts/default.nix
deleted file mode 100644
index fe5efe41..00000000
--- a/krebs/5pkgs/github-known_hosts/default.nix
+++ /dev/null
@@ -1,13 +0,0 @@
-{ lib, ... }:
-
-with builtins;
-with lib;
-
-let
-  github-pubkey = removeSuffix "\n" (readFile ./github.ssh.pub);
-in
-
-toFile "github-known_hosts"
-  (concatMapStrings
-    (i: "github.com,192.30.252.${toString i} ${github-pubkey}\n")
-    (range 0 255))
diff --git a/krebs/5pkgs/github-known_hosts/github.ssh.pub b/krebs/5pkgs/github-known_hosts/github.ssh.pub
deleted file mode 100644
index 90f6e2b7..00000000
--- a/krebs/5pkgs/github-known_hosts/github.ssh.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==