home

My NixOS systems configurations.
Log | Files | Refs | LICENSE

ssh.nix (4811B)


      1 { config, lib, pkgs, ... }:
      2 
      3 let
      4   gpgRemoteForward = {
      5     bind.address = "/run/user/1000/gnupg/S.gpg-agent";
      6     host.address = "/run/user/1000/gnupg/S.gpg-agent.extra";
      7   };
      8   gpgSSHRemoteForward = {
      9     bind.address = "/run/user/1000/gnupg/S.gpg-agent.ssh";
     10     host.address = "/run/user/1000/gnupg/S.gpg-agent.ssh";
     11   };
     12 
     13   inherit (lib) optionalAttrs importTOML hasAttr attrsets mkIf;
     14   metadata = importTOML ../../../ops/hosts.toml;
     15 
     16   hasWireguard = name: value: hasAttr "wireguard" value;
     17   hasAddrs = name: value: hasAttr "addrs" value;
     18   hasSShAndRemoteForward = v: (hasAttr "ssh" v) && (hasAttr "gpgRemoteForward" v.ssh);
     19   hasCommand = v: hasAttr "command" v;
     20 
     21   hostWireguardIP = v: "${v.wireguard.addrs.v4}";
     22   hostIP = v: "${v.addrs.v4}";
     23   hostRemoteCommand = v: "${v.command}";
     24 
     25   hostToSSHConfigItem = value: ipfn: {
     26     hostname = ipfn value;
     27     remoteForwards = mkIf (hasSShAndRemoteForward value) [ gpgRemoteForward gpgSSHRemoteForward ];
     28     # FIXME: need support for RemoteCommand in home-manager
     29     # RemoteCommand = mkIf (hasCommand value) hostRemoteCommand value;
     30   };
     31   hostToSSHConfig = suffix: ipfn:
     32     name: value: attrsets.nameValuePair
     33       (toString "${name}${suffix}")
     34       (hostToSSHConfigItem value ipfn);
     35 
     36   vpnConfig = attrsets.mapAttrs'
     37     (hostToSSHConfig "\.vpn" hostWireguardIP)
     38     (attrsets.filterAttrs hasWireguard metadata.hosts);
     39   homeConfig = attrsets.mapAttrs'
     40     (hostToSSHConfig "\.home" hostIP)
     41     (attrsets.filterAttrs hasAddrs metadata.hosts);
     42 in
     43 {
     44   home.packages = [
     45     pkgs.openssh
     46   ];
     47   home.file.".ssh/sockets/.placeholder".text = '''';
     48   xdg.configFile."ssh/.placeholder".text = '''';
     49   programs.ssh = {
     50     enable = true;
     51 
     52     serverAliveInterval = 60;
     53     hashKnownHosts = true;
     54     userKnownHostsFile = "${config.xdg.configHome}/ssh/known_hosts";
     55     controlMaster = "auto";
     56     controlPersist = "10m";
     57     controlPath = "${config.home.homeDirectory}/.ssh/sockets/%u-%l-%r@%h:%p";
     58     matchBlocks = {
     59       "github.com" = {
     60         hostname = "github.com";
     61         user = "git";
     62         extraOptions = {
     63           controlMaster = "auto";
     64           controlPersist = "360";
     65         };
     66       };
     67       "gitlab.com" = {
     68         hostname = "gitlab.com";
     69         user = "git";
     70         extraOptions = {
     71           controlMaster = "auto";
     72           controlPersist = "360";
     73         };
     74       };
     75       "git.sr.ht" = {
     76         hostname = "git.sr.ht";
     77         user = "git";
     78         extraOptions = {
     79           controlMaster = "auto";
     80           controlPersist = "360";
     81         };
     82       };
     83       "*.redhat.com" = {
     84         user = "vdemeest";
     85       };
     86       "bootstrap.ospqa.com" = {
     87         forwardAgent = true;
     88       };
     89       "192.168.1.*" = {
     90         forwardAgent = true;
     91         extraOptions = {
     92           StrictHostKeyChecking = "no";
     93           UserKnownHostsFile = "/dev/null";
     94         };
     95       };
     96       "10.100.0.*" = {
     97         forwardAgent = true;
     98       };
     99     } // homeConfig // vpnConfig;
    100     extraConfig = ''
    101       GlobalKnownHostsFile ~/.config/ssh/ssh_known_hosts ~/.config/ssh/ssh_known_hosts.redhat ~/.config/ssh/ssh_known_hosts.mutable
    102       StrictHostKeyChecking yes
    103       PreferredAuthentications gssapi-with-mic,publickey,password
    104       GSSAPIAuthentication yes
    105       GSSAPIDelegateCredentials yes
    106       StreamLocalBindUnlink yes
    107       IdentityFile ~/.ssh/keys/%h
    108       IdentityFile ~/.ssh/id_ed25519
    109       IdentityFile ~/.ssh/id_rsa
    110     '';
    111   };
    112   # FIXME generate this file as well
    113   xdg.configFile."ssh/ssh_known_hosts".text = ''
    114     # Home
    115     wakasu.home,wakasu.vpn,10.100.0.8,192.168.1.77 wakasu.vpn ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINrAh07USjRnAdS3mMNGdKee1KumjYDLzgXaiZ5LYi2D
    116     aomi.home,aomi.vpn,10.100.0.17,192.168.1.23 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFQVlSrUKU0xlM9E+sJ8qgdgqCW6ePctEBD2Yf+OnyME
    117     sakhalin.home,sakhalin.vpn,10.100.0.16,192.168.1.70 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN/PMBThi4DhgZR8VywbRDzzMVh2Qp3T6NJAcPubfXz6
    118     shikoku.home,shikoku.vpn,10.100.0.2,192.168.1.24 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH18c6kcorVbK2TwCgdewL6nQf29Cd5BVTeq8nRYUigm
    119     kerkouane.vpn,10.100.0.1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJguVoQYObRLyNxELFc3ai2yDJ25+naiM3tKrBGuxwwA
    120     synodine.home,192.168.1.20 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDWdnPJg0Y4kd4lHPAGE4xgMAK2qvMg3oBxh0t+xO+7O
    121     demeter.home,192.168.1.182 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqQfEyHyjIGglayB9FtCqL7bnYfNSQlBXks2IuyCPmd
    122     athena.home,192.168.1.183 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM/4KRP1rzOwyA2zP1Nf1WlLRHqAGutLtOHYWfH732xh
    123   '';
    124   xdg.configFile."ssh/ssh_known_hosts.redhat".text = ''
    125     # Red Hat
    126     gitlab.cee.redhat.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICBgflBIyju1LV/29PmFDw0GLdB9h0JUXglNrvWjBQ2u
    127     code.engineering.redhat.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINYZZXmzm14TUL02Qe5SCMw48OfrphoIzi4qXSEK9Hiq
    128   '';
    129 }