commit c8c04eb3777c0ed12ef37e65d0251b7d73d4079e
parent 99db9c884747bb7f00f245b13894741a2b9c67b4
Author: Vincent Demeester <vincent@sbr.pm>
Date: Sat, 20 Nov 2021 01:18:41 +0100
users/vincent: refactor ssh config to use hosts.toml
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Diffstat:
1 file changed, 35 insertions(+), 8 deletions(-)
diff --git a/users/vincent/core/ssh.nix b/users/vincent/core/ssh.nix
@@ -1,16 +1,43 @@
{ config, lib, pkgs, ... }:
-with lib;
let
- patchedOpenSSH = pkgs.openssh.override { withKerberos = true; withGssapiPatches = true; };
- secretPath = ../../../secrets/machines.nix;
- secretCondition = (builtins.pathExists secretPath);
- sshConfig = optionalAttrs secretCondition (import secretPath).sshConfig;
+ gpgRemoteForward = {
+ bind.address = "/run/user/1000/gnupg/S.gpg-agent";
+ host.address = "/run/user/1000/gnupg/S.gpg-agent.extra";
+ };
+ gpgSSHRemoteForward = {
+ bind.address = "/run/user/1000/gnupg/S.gpg-agent.ssh";
+ host.address = "/run/user/1000/gnupg/S.gpg-agent.ssh";
+ };
+
+ inherit (lib) optionalAttrs importTOML hasAttr attrsets mkIf;
+ metadata = importTOML ../../../ops/hosts.toml;
+
+ hasWireguard = name: value: hasAttr "wireguard" value;
+ hasAddrs = name: value: hasAttr "addrs" value;
+ hasSShAndRemoteForward = v: (hasAttr "ssh" v) && (hasAttr "gpgRemoteForward" v.ssh);
+
+ hostWireguardIP = v: "${v.wireguard.addrs.v4}";
+ hostIP = v: "${v.addrs.v4}";
+
+ hostToSSHConfigItem = value: ipfn: {
+ hostname = ipfn value;
+ remoteForwards = mkIf (hasSShAndRemoteForward value) [ gpgRemoteForward gpgSSHRemoteForward ];
+ };
+ hostToSSHConfig = suffix: ipfn:
+ name: value: attrsets.nameValuePair
+ (toString "${name}${suffix}")
+ (hostToSSHConfigItem value ipfn);
+
+ vpnConfig = attrsets.mapAttrs'
+ (hostToSSHConfig "\.vpn" hostWireguardIP)
+ (attrsets.filterAttrs hasWireguard metadata.hosts);
+ homeConfig = attrsets.mapAttrs'
+ (hostToSSHConfig "\.home" hostIP)
+ (attrsets.filterAttrs hasAddrs metadata.hosts);
in
{
home.packages = [
- # FIXME: doesn't seem to work on 20.09 for some reason :o)
- # patchedOpenSSH
pkgs.openssh
];
home.file.".ssh/sockets/.placeholder".text = '''';
@@ -58,7 +85,7 @@ in
"10.100.0.*" = {
forwardAgent = true;
};
- } // sshConfig;
+ } // homeConfig // vpnConfig;
extraConfig = ''
PreferredAuthentications gssapi-with-mic,publickey,password
GSSAPIAuthentication yes