ssh.nix (4811B)
1 { config, lib, pkgs, ... }: 2 3 let 4 gpgRemoteForward = { 5 bind.address = "/run/user/1000/gnupg/S.gpg-agent"; 6 host.address = "/run/user/1000/gnupg/S.gpg-agent.extra"; 7 }; 8 gpgSSHRemoteForward = { 9 bind.address = "/run/user/1000/gnupg/S.gpg-agent.ssh"; 10 host.address = "/run/user/1000/gnupg/S.gpg-agent.ssh"; 11 }; 12 13 inherit (lib) optionalAttrs importTOML hasAttr attrsets mkIf; 14 metadata = importTOML ../../../ops/hosts.toml; 15 16 hasWireguard = name: value: hasAttr "wireguard" value; 17 hasAddrs = name: value: hasAttr "addrs" value; 18 hasSShAndRemoteForward = v: (hasAttr "ssh" v) && (hasAttr "gpgRemoteForward" v.ssh); 19 hasCommand = v: hasAttr "command" v; 20 21 hostWireguardIP = v: "${v.wireguard.addrs.v4}"; 22 hostIP = v: "${v.addrs.v4}"; 23 hostRemoteCommand = v: "${v.command}"; 24 25 hostToSSHConfigItem = value: ipfn: { 26 hostname = ipfn value; 27 remoteForwards = mkIf (hasSShAndRemoteForward value) [ gpgRemoteForward gpgSSHRemoteForward ]; 28 # FIXME: need support for RemoteCommand in home-manager 29 # RemoteCommand = mkIf (hasCommand value) hostRemoteCommand value; 30 }; 31 hostToSSHConfig = suffix: ipfn: 32 name: value: attrsets.nameValuePair 33 (toString "${name}${suffix}") 34 (hostToSSHConfigItem value ipfn); 35 36 vpnConfig = attrsets.mapAttrs' 37 (hostToSSHConfig "\.vpn" hostWireguardIP) 38 (attrsets.filterAttrs hasWireguard metadata.hosts); 39 homeConfig = attrsets.mapAttrs' 40 (hostToSSHConfig "\.home" hostIP) 41 (attrsets.filterAttrs hasAddrs metadata.hosts); 42 in 43 { 44 home.packages = [ 45 pkgs.openssh 46 ]; 47 home.file.".ssh/sockets/.placeholder".text = ''''; 48 xdg.configFile."ssh/.placeholder".text = ''''; 49 programs.ssh = { 50 enable = true; 51 52 serverAliveInterval = 60; 53 hashKnownHosts = true; 54 userKnownHostsFile = "${config.xdg.configHome}/ssh/known_hosts"; 55 controlMaster = "auto"; 56 controlPersist = "10m"; 57 controlPath = "${config.home.homeDirectory}/.ssh/sockets/%u-%l-%r@%h:%p"; 58 matchBlocks = { 59 "github.com" = { 60 hostname = "github.com"; 61 user = "git"; 62 extraOptions = { 63 controlMaster = "auto"; 64 controlPersist = "360"; 65 }; 66 }; 67 "gitlab.com" = { 68 hostname = "gitlab.com"; 69 user = "git"; 70 extraOptions = { 71 controlMaster = "auto"; 72 controlPersist = "360"; 73 }; 74 }; 75 "git.sr.ht" = { 76 hostname = "git.sr.ht"; 77 user = "git"; 78 extraOptions = { 79 controlMaster = "auto"; 80 controlPersist = "360"; 81 }; 82 }; 83 "*.redhat.com" = { 84 user = "vdemeest"; 85 }; 86 "bootstrap.ospqa.com" = { 87 forwardAgent = true; 88 }; 89 "192.168.1.*" = { 90 forwardAgent = true; 91 extraOptions = { 92 StrictHostKeyChecking = "no"; 93 UserKnownHostsFile = "/dev/null"; 94 }; 95 }; 96 "10.100.0.*" = { 97 forwardAgent = true; 98 }; 99 } // homeConfig // vpnConfig; 100 extraConfig = '' 101 GlobalKnownHostsFile ~/.config/ssh/ssh_known_hosts ~/.config/ssh/ssh_known_hosts.redhat ~/.config/ssh/ssh_known_hosts.mutable 102 StrictHostKeyChecking yes 103 PreferredAuthentications gssapi-with-mic,publickey,password 104 GSSAPIAuthentication yes 105 GSSAPIDelegateCredentials yes 106 StreamLocalBindUnlink yes 107 IdentityFile ~/.ssh/keys/%h 108 IdentityFile ~/.ssh/id_ed25519 109 IdentityFile ~/.ssh/id_rsa 110 ''; 111 }; 112 # FIXME generate this file as well 113 xdg.configFile."ssh/ssh_known_hosts".text = '' 114 # Home 115 wakasu.home,wakasu.vpn,10.100.0.8,192.168.1.77 wakasu.vpn ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINrAh07USjRnAdS3mMNGdKee1KumjYDLzgXaiZ5LYi2D 116 aomi.home,aomi.vpn,10.100.0.17,192.168.1.23 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFQVlSrUKU0xlM9E+sJ8qgdgqCW6ePctEBD2Yf+OnyME 117 sakhalin.home,sakhalin.vpn,10.100.0.16,192.168.1.70 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN/PMBThi4DhgZR8VywbRDzzMVh2Qp3T6NJAcPubfXz6 118 shikoku.home,shikoku.vpn,10.100.0.2,192.168.1.24 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH18c6kcorVbK2TwCgdewL6nQf29Cd5BVTeq8nRYUigm 119 kerkouane.vpn,10.100.0.1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJguVoQYObRLyNxELFc3ai2yDJ25+naiM3tKrBGuxwwA 120 synodine.home,192.168.1.20 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDWdnPJg0Y4kd4lHPAGE4xgMAK2qvMg3oBxh0t+xO+7O 121 demeter.home,192.168.1.182 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqQfEyHyjIGglayB9FtCqL7bnYfNSQlBXks2IuyCPmd 122 athena.home,192.168.1.183 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM/4KRP1rzOwyA2zP1Nf1WlLRHqAGutLtOHYWfH732xh 123 ''; 124 xdg.configFile."ssh/ssh_known_hosts.redhat".text = '' 125 # Red Hat 126 gitlab.cee.redhat.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICBgflBIyju1LV/29PmFDw0GLdB9h0JUXglNrvWjBQ2u 127 code.engineering.redhat.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINYZZXmzm14TUL02Qe5SCMw48OfrphoIzi4qXSEK9Hiq 128 ''; 129 }