summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2022-07-15 10:27:30 +0200
committertv <tv@krebsco.de>2022-09-14 21:35:30 +0200
commitfaf453da0b479551304123f154ac2c84f995e745 (patch)
tree2f330f05f0bbae34eeef6112fb2a67b5181e58df
parent9b37b535f43f361a7f57a5aebf89c139d33de01e (diff)
openssh known hosts: ignore hosts without aliases
-rw-r--r--krebs/3modules/default.nix81
1 files changed, 47 insertions, 34 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 8ea727dc7..7f0070483 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -138,41 +138,54 @@ let
let inherit (config.krebs.build.host.ssh) privkey; in
mkIf (privkey != null) [privkey];
- # TODO use imports for merging
services.openssh.knownHosts =
- (let inherit (config.krebs.build.host.ssh) pubkey; in
- optionalAttrs (pubkey != null) {
- localhost = {
- hostNames = ["localhost" "127.0.0.1" "::1"];
- publicKey = pubkey;
- };
- })
- //
- mapAttrs
- (name: host: {
- hostNames =
- concatLists
- (mapAttrsToList
- (net-name: net:
- let
- longs = net.aliases;
- shorts =
- optionals
- (cfg.dns.search-domain != null)
- (map (removeSuffix ".${cfg.dns.search-domain}")
- (filter (hasSuffix ".${cfg.dns.search-domain}")
- longs));
- add-port = a:
- if net.ssh.port != 22
- then "[${a}]:${toString net.ssh.port}"
- else a;
- in
- map add-port (shorts ++ longs ++ net.addrs))
- host.nets);
-
- publicKey = host.ssh.pubkey;
- })
- (filterAttrs (_: host: host.ssh.pubkey != null) cfg.hosts);
+ filterAttrs
+ (knownHostName: knownHost:
+ knownHost.publicKey != null &&
+ knownHost.hostNames != []
+ )
+ (mapAttrs
+ (hostName: host: {
+ hostNames =
+ concatLists
+ (mapAttrsToList
+ (netName: net:
+ let
+ aliases =
+ concatLists [
+ shortAliases
+ net.aliases
+ net.addrs
+ ];
+ shortAliases =
+ optionals
+ (cfg.dns.search-domain != null)
+ (map (removeSuffix ".${cfg.dns.search-domain}")
+ (filter (hasSuffix ".${cfg.dns.search-domain}")
+ net.aliases));
+ addPort = alias:
+ if net.ssh.port != 22
+ then "[${alias}]:${toString net.ssh.port}"
+ else alias;
+ in
+ map addPort aliases
+ )
+ host.nets);
+ publicKey = host.ssh.pubkey;
+ })
+ (foldl' mergeAttrs {} [
+ cfg.hosts
+ {
+ localhost = {
+ nets.local = {
+ addrs = [ "127.0.0.1" "::1" ];
+ aliases = [ "localhost" ];
+ ssh.port = 22;
+ };
+ ssh.pubkey = config.krebs.build.host.ssh.pubkey;
+ };
+ }
+ ]));
programs.ssh.extraConfig = concatMapStrings
(net: ''