home

My NixOS systems configurations.
Log | Files | Refs | LICENSE

commit c8c04eb3777c0ed12ef37e65d0251b7d73d4079e
parent 99db9c884747bb7f00f245b13894741a2b9c67b4
Author: Vincent Demeester <vincent@sbr.pm>
Date:   Sat, 20 Nov 2021 01:18:41 +0100

users/vincent: refactor ssh config to use hosts.toml

Signed-off-by: Vincent Demeester <vincent@sbr.pm>

Diffstat:
Musers/vincent/core/ssh.nix | 43+++++++++++++++++++++++++++++++++++--------
1 file changed, 35 insertions(+), 8 deletions(-)

diff --git a/users/vincent/core/ssh.nix b/users/vincent/core/ssh.nix @@ -1,16 +1,43 @@ { config, lib, pkgs, ... }: -with lib; let - patchedOpenSSH = pkgs.openssh.override { withKerberos = true; withGssapiPatches = true; }; - secretPath = ../../../secrets/machines.nix; - secretCondition = (builtins.pathExists secretPath); - sshConfig = optionalAttrs secretCondition (import secretPath).sshConfig; + gpgRemoteForward = { + bind.address = "/run/user/1000/gnupg/S.gpg-agent"; + host.address = "/run/user/1000/gnupg/S.gpg-agent.extra"; + }; + gpgSSHRemoteForward = { + bind.address = "/run/user/1000/gnupg/S.gpg-agent.ssh"; + host.address = "/run/user/1000/gnupg/S.gpg-agent.ssh"; + }; + + inherit (lib) optionalAttrs importTOML hasAttr attrsets mkIf; + metadata = importTOML ../../../ops/hosts.toml; + + hasWireguard = name: value: hasAttr "wireguard" value; + hasAddrs = name: value: hasAttr "addrs" value; + hasSShAndRemoteForward = v: (hasAttr "ssh" v) && (hasAttr "gpgRemoteForward" v.ssh); + + hostWireguardIP = v: "${v.wireguard.addrs.v4}"; + hostIP = v: "${v.addrs.v4}"; + + hostToSSHConfigItem = value: ipfn: { + hostname = ipfn value; + remoteForwards = mkIf (hasSShAndRemoteForward value) [ gpgRemoteForward gpgSSHRemoteForward ]; + }; + hostToSSHConfig = suffix: ipfn: + name: value: attrsets.nameValuePair + (toString "${name}${suffix}") + (hostToSSHConfigItem value ipfn); + + vpnConfig = attrsets.mapAttrs' + (hostToSSHConfig "\.vpn" hostWireguardIP) + (attrsets.filterAttrs hasWireguard metadata.hosts); + homeConfig = attrsets.mapAttrs' + (hostToSSHConfig "\.home" hostIP) + (attrsets.filterAttrs hasAddrs metadata.hosts); in { home.packages = [ - # FIXME: doesn't seem to work on 20.09 for some reason :o) - # patchedOpenSSH pkgs.openssh ]; home.file.".ssh/sockets/.placeholder".text = ''''; @@ -58,7 +85,7 @@ in "10.100.0.*" = { forwardAgent = true; }; - } // sshConfig; + } // homeConfig // vpnConfig; extraConfig = '' PreferredAuthentications gssapi-with-mic,publickey,password GSSAPIAuthentication yes